Trustwave: 63 percent of breaches observed targeted payment card data

News by Roi Perez

New report from security company Trustwave illustrates a wave of crime looking to steal payment information from those in the hospitality, retail and food and beverage industries.

Security firm Trustwave has released its 2017 Global Security Report which contains some bleak findings relating to the rise of payment card data thefts and incidents involving point-of-sale breaches in the hospitality, retail and food and beverage industries.

Although the report mentions topics such as SCADA systems and application security, there is a clear standout issue in the report: 63 percent of all breaches observed in the US by Trustwave targeted payment card data. Thirty-three percent of those look to steal magnetic stripe data, while the other 30 percent is looking for information to commit “card not present” attacks. A further 18 percent went after financial credentials.

Incidents involving point-of-sale systems were most common in North America, as it has been slow to adopt the EMV chip standard which is now common in Europe. Trustwave's researchers believe the lack of the EMV standard and such a high-level of card data/payment fraud are so deeply interlinked that the moment “merchants adopt the [EMV] technology” the fraud should quickly diminish.

“As of November 2016, only 38 percent of US storefronts were capable of processing chip card transactions, according to Visa,” the report reads. “It may be another few years before POS-related incidents become as rare there as they are in the rest of the world.”

In total, 56 percent of attacks monitored by Trustwave are said to have affected the food and beverage, retail and hospitality sectors. This has become so lucrative that the Carbanak gang, famed for its successful targeting of financial organisations, is now going after organisations in the hospitality industry.  

To help mitigate these issues and drive a paradigm shift, the report's introduction refers to the Scout motto: “Be Prepared”, which in information security terms essentially advises a proactive and preventative approach to data breaches and cyber-security in general.

Karl Sigler, threat intelligence manager at Trustwave's SpiderLabs threat intelligence team, told SC Media UK, “My team and I are witnessing a lot of best practise which is essentially being ignored.”

He added, “Organisations ignore the basics and don't bother implementing them until something bad happens… Don't wait until it happens, think ahead.”

When describing how criminals are gaining access to the systems of those in the hospitality, retail and food and beverage industries, the report said gangs are attacking the  “low-hanging fruit”, for instance, “widely used software platforms with known vulnerabilities”.

The report says that attacks on corporate and internal networks have risen three percent this year to 43 percent. Point-of-sale attacks are up nine percent to 31 percent. The only attack vector to record a decrease was e-commerce compromises which fell by 12 percent to 26 percent.

“As expected,” the report said, “the types of data cyber-criminals sought strongly correlated with the type of environment attacked. Most of the incidents affecting PoS environments targeted track data, the information encoded on a payment card's magnetic stripe but not on the EMV cards used in chip-and-PIN transactions, which are significantly more secure.”

“Similarly”, it adds, “most of the incidents affecting e-commerce environments targeted Card Not Present data, used to process payments made over the internet. Incidents involving corporate and internal networks targeted a range of different data types.”

There is some good news however: “Once detected, victims usually contained intrusions quickly. The median number of days from detection to containment was 2.5 in 2016 with values ranging from -360 days, meaning the intrusion ended 360 days before detection, to 289 days. In cases where containment occurred after detection, the median duration was 13 days from detection to containment.”

“In cases where containment occurred after detection, the median duration was 13 days from detection to containment. The median total duration between intrusion and containment was 62 days in 2016, almost the same as in 2015,” the report reads.

Speaking on method of detection, the report said, “In 2016, compromises detected by regulatory bodies, card brands and merchant banks accounted for nearly half of incidents, followed by self-detected compromises. As noted previously, victims that self-detect compromises typically identify and contain them more quickly than compromises outside parties detect; so, it's good to see the share of self-detected incidents increasing.”

The top factors contributing to compromise are remote access (29.7 percent), phishing/social engineering (18.8 percent) and code injections (15.6 percent). All of the above have seen a significant rise on the previous year of 10 percent and upwards.

Interestingly, the report notes a rise in spam in 2016, which in all years prior was seen to be falling. Trustwave's team attributes this to Necurs, a botnet responsible for an increase in spam being sent out with malicious files attached. Thanks to Necurs, malware detected in spam traps has shot up to 34.6 percent, from 2.74 percent the year before. The top files attached are HTA (9.9 percent), WSF (44.65 percent), and JS/JSE (35.42 percent).

Unsurprisingly, the software most attacked is Adobe's Flash. “Despite the numerous high-profile mitigations Adobe recently built into Flash,” the report reads, “attackers continue to target its technology most often. Of the seven new exploits integrated into exploit kits in 2016, one targeted Microsoft Silverlight, two targeted Internet Explorer and five targeted Flash, including one (CVE-2016-1019) that was a zero-day exploit when it appeared in the Magnitude kit.”

Concluding, Trustwave's Karl Sigler told SC that there has been a decline in attacks using some of the bigger exploit kits. Sigler opined that the decline observed is most likely down to a series of arrests made in relation to the gangs which operate them.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews