Phishing ‘Behind Majority Of Data Breaches’

Cybercriminals are using some rather old tricks to target human weakness as they look to reap higher rewards from a wide range of attacks, according to a new report.

The latest Verizon Data Breach Investigations Report discovered a major rise in phishing attacks over the past year, as criminals

It found that 30 percent of phishing messages were opened – up from 23 percent in the previous year – and 13 percent of these resulted in malware or some other nefarious backdoor being installed.

Risky

“You might say our findings boil down to one common theme — the human element,” said Bryan Sartin, executive director of the Verizon RISK team. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”

The report also highlighted the increasingly quick speed in which cybercrime is committed. In 93 percent of cases, it took attackers minutes or less to compromise systems and data exfiltration occurred within minutes in 28 percent of the cases.

The team found that three-pronged attacks were becoming the norm for many criminals as they looked to target major organisations. First off, a phishing email with a link pointing to the malicious website or mainly a malicious attachment is sent to a company web address.

When downloaded, this or additional malware can be used to look for secrets and internal information to steal (cyberespionage) or encrypt files for ransom, often through keylogging.

These credentials are then often used to facilitate further attacks, such as to logging in to third party websites like banking or retail sites.

However those higher up in big companies can also often be held to blame, as the report found that so-called ‘miscellaneous errors,’ was the leading cause of security incidents in 2015.

This included 26 percent of all recorded errors involving sending sensitive info to the wrong person, with other errors in this category including the improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones.

The company is now calling for organisations to implement as many security precautions as possible, as it found a worryingly large number do not offer protection methods such as two-factor authentication and data encryption.

“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defence will deter cybercriminals who will move on to look for an easier target,” said Sartin.

How much do you know about the world’s most notorious hackers? Try our quiz!