If the 2014 holiday shopping season is any indication, cyberattackers have shifted their tactics, placing quality of attacks over quantity as they zero in on high-reward targets by compromising retailers' database vulnerabilities.
In a study released Jan. 5, IBM Managed Security Services researchers revealed that the number of cyberattacks on retailers dropped by a third during late November and December as compared to the same period in 2013, and half as many breaches occurred during the busy Black Friday and Cyber Monday shopping period.
For the two-week period from Nov. 24 to Dec. 5, IBM identified 3,043 daily cyberattacks, nearly one-third less than the 4,200 attacks over the same period in 2013.
IBM's analysis of data compiled by the Privacy Rights Clearinghouse shows a similar trend for 2014 as a whole, with retail breach incidents last year down 50% from just two years ago.
Nevertheless, malicious hackers managed to steal more than 61 million records last year. The findings demonstrate "cybercriminals' increasing sophistication and efficiency," IBM researchers said.
IBM noted that the 50% drop in the number of retail breaches during the holiday season resulted from attackers scaling back on attacks around Black Friday, the traditional opening of the Christmas shopping frenzy on the day after Thanksgiving, and Cyber Monday, usually the business online shopping day of the year.
By contrast, the 2013 holiday shopping season saw massive security breaches at retailers like Target, resulting in a record number of consumer records being compromised.
Interestingly, when IBM analyzed the total number of retail records compromised in incidents involving fewer than 10 million records, it found that the number of records compromised in 2014 rose 43% over 2013, and that percentage doesn't include what may prove to be a massive data breach at Chick-Fil-A Inc. first reported Dec. 31.
"While we have seen fewer breaches reported in the last two years," said IBM in the report, "these breaches were more significant and wide-reaching in terms of victims affected."
Database vulnerabilities lead to retail data breaches
While point-of-sale (POS) malware attacks continue to increase, IBM found that the "vast majority" of incidents targeted retailers' databases via command injection or SQL injection methods. For example, the researchers found that nearly 6,000 attacks against retailers involved command injection.
"The complexity of SQL deployments and the lack of data validation performed by security administrators made retail databases a primary target," IBM Security concluded.
POS malware remains a threat, but cyberattackers are upping the ante as they probe for more weaknesses in retailers' networks. Along with the Shellshock vulnerability that targets retailers' servers, the security researchers found that POS malware like Alina, BlackPOS, Citadel, Dexter and vSkimmer remain in play.
"Shellshock is not going away anytime soon, much like SQL Slammer," IBM warned. "Patching is of paramount importance for this specific attack vector."
How should enterprises respond as the database threat grows? IBM security specialists stressed that "shellcode characters should never be allowed to enter an organization’s network via HTTP." They added that deployment of security appliances focusing on these attack vectors, like firewall deployments, should become standard practice.
IBM said the data it analyzed consisted of records compromised and breaches disclosed by retailers, in addition to data compiled by the Privacy Rights Clearinghouse. Other data used in the retailer security study was compiled internally by IBM's Managed Security Services team.
John Kuhn, an IBM senior threat researcher, said in an interview that data on attacks and threats was gleaned from its customer base. The data was "boiled down" by analytical engines to detect potential attacks and threats; analysts then weeded out any false positives.
As the threat to customer databases grows, Kuhn said vulnerable retailers need to initiate thorough audits of their systems. Those audits should include penetration tools and testers.
Kuhn said he expects to trend of fewer but more sophisticated attacks to continue, the result being a steady increase in the number of stolen customer records.
However, some industry watchers counseled a wait-and-see approach.
"Black Friday [and] Cyber Monday were just five weeks ago," noted Rick Holland, principal analyst for security and risk management with Forrester Research Inc., based in Cambridge, Mass. "Given how long it takes organizations to detect intrusions, it could be premature to say that attacks were down. Let's revisit the numbers in 12 months."
Others agreed that more holiday breaches may eventually surface, but the IBM findings still reveal a new level of sophistication that is yielding more stolen records.
Looking at IBM's data, "If you assume a margin of error of 10%, that's still a significant drop" in the number of attacks, said Christina Richmond, security services analyst with IDC in Framingham, Mass.
The point, Richmond added, is that even though IBM found that the most recent holiday shopping season may "not be as much of a free-for-all" as the year prior, retailers still need to remain vigilant against many potential attackers and attack methods.
Learn more about attack patterns against retailers reported in the 2014 Verizon Data Breach Investigations Report.