This year's Verizon Data Breach Investigations Report (VDBIR) added a new category to its VERIS (Vocabulary for Event Recording and Incident Sharing) to track attacks with 'secondary' motives. These include, for instance, strategic web compromises in which a website is infected in order to attack visitors, not the website owner. It turns out this form of attack accounted for nearly 70% of web attacks where the motivation of the attack was known.
Apparently, the majority of these types of attacks come from opportunistically compromised servers used to participate in denial-of-service attacks, host malware, or repurpose for phishing sites.
At first blush, these attacks could be brushed off as harmless nuisances. However, they are anything but harmless. They impact brands, poison the user experience and can lead to sensitive data leaks of PII, PHI, PCI, bank credentials and other valuable information.
The report shows that using stolen credentials to control web-serving infrastructure is the preferred method for strategic web app attacks; however, other longtime hacking techniques like RFI, SQLi and XSS are still used with regularity as well.
Attacks against users typically take the form of automated campaigns to spread malware or phishing. In addition to web app compromises, advanced targeting techniques like malvertising are often used against individuals. They are typically carried out by identifying vulnerable systems, which may fall outside the standard coverage area of security scanners, which can be infected with exploit kits or used to redirect users to phishing sites.
RiskIQ recently over 100,000 websites owned by 35 leading financial institutions were hosted on IPs that pointed to third-party ASNs. These findings included IPs from vendor ASNs like RackSpace and Amazon AWS, ASNs inherited by mergers and acquisitions, ASNs from partner organizations, and more.
This data suggests leading banks have many assets that normally fall outside of the scope of security. The VDBIR points out that financial services firms were most frequently targeted, but almost all industries were affected.
According to Verizon, "[o]ver 95% of these incidents involve harvesting creds from customer devices, then logging into web applications with them." This type of attack can lead to damaging downstream breaches.
In order to combat web-based attacks, the VDBIR recommends organizations,
Get a complete inventory of every component of your web presence (honestly, it's not that hard) and ensure they are all in a regular patch cycle. Three-quarters of web app compromises are opportunistic, so this falls squarely under the cost of doing business.
The challenge for enterprises is keeping tabs on a web presence or 'digital footprint' which isn't static. It's easy to overlook unknown web assets (websites, apps, etc.) -- or rogue assets spoofing brands -- that were created by a third party or Shadow IT initiative.
The VDBIR findings show that it remains easy for criminals to identify and compromise web infrastructures that are vulnerable to known exploits. The impact of these campaigns erodes brand reputation, victimizes customers and can lead to the theft of login credentials, bank account information, PHI, PII and PCI data.
Now that Verizon and others are recognizing web-based attacks against secondary targets, expect continuous web asset discovery and monitoring for threats to become a mainstream concern.