"We saw a large increase in hackers looking for open ports, as well as those trying to identify the applications and other services our retail clients were running," said Wayne Haber, director of architecture for SecureWorks. "An increase in network scans is often a red flag because many times it is followed by attacks specifically targeted at the organization's services," said Haber." "Attempted network scans against our retail clients increased 61% in 2008 going from an average of 56,000 per client per month in the first six months of the year to 90,000 per client per month in the last five months of the year," continued Haber.
The number of attempted authentication attacks - attacks used to compromise user names and passwords - increased steadily throughout the year, jumping from an average of 6,000 per client per month in the first six months of the year to an average of 34,000 per client per month in the last five months. The numbers continued to increase through the most recent month, November, where authentication attacks spiked to 137,000 per client per month. "It is not surprising that the attempts to steal customer credentials greatly increased just before the holiday shopping season. The November authentication attacks also followed a significant increase in network scanning in October where we blocked 202,000 network scans per client," said Haber.
"One of the methods used to bypass authentication are brute force attacks-where hackers systematically try large numbers of username and/password combinations in order to gain access to the retail organizations," said Don Jackson, director of Threat Intelligence for SecureWorks. "Hackers know that if they can successfully steal customer usernames and passwords, they can get access to retail accounts to make fraudulent online purchases and redirect those purchases to mailing addresses of their choice ," continued Jackson.
Attempted SQL injection attacks, a technique that exploits security vulnerabilities in Web applications by inserting malicious SQL code in Web requests, increased significantly in May for our retailers, going from an average of 20 per client per month to 237 per client per month. It then hit a peak in July with 17,000 attempted SQL Injection attacks per retail client and since November has dropped off to normal levels, averaging 18 per client per month.
"The abnormally high attack levels in July, August and September are a result of the rash of SQL Injection attacks we saw this year from a Chinese SQL injection tool and the Asprox trojan," said Jackson. http://www.secureworks.com/research/threats/danmecasprox/
"In July, August and September, hackers used the Chinese SQL Injection tool and the Asprox trojan to launch thousands of SQL Injection attacks so as to build up their botnets," said Jackson. "With these attacks, they sought out websites that utilized active server pages linked to a Microsoft SQL Server backend and unfortunately a lot of retailers use this platform, thus they became a big target. Of course, this boded well for the hackers because if they could infect high trafficked sites then their chances of infecting large numbers of computers and turning them into bots would be much greater. The bots were then used to send phishing e-mails and launch additional SQL Injection attacks. For retailers, the danger of a SQL Injection attack is that if it is successful then the hacker can potentially gain administrator access to the affected server, thus opening up the entire customer database to the hacker, complete with the customers' account information which could include credit card data, bank account information, name, address, etc. Even worse, under some circumstances, once the hacker has successfully infiltrated the database server they can use it as a jumping off point to access the rest of the company's network," continued Jackson.
"With the holiday season upon us and shoppers flocking to the Internet to make gift purchases from the convenience of their computers, retail organizations and online shoppers should be aware of the threats and should employ protective measures," said Haber.
Security Tips for Online Retailers
Retail organizations should make sure their Web presence is secured against cyber attacks by employing a defense in depth strategy including:
- Keeping all servers and workstations fully patched to protect against attacks targeted at the latest security vulnerabilities, especially Web application attacks such as SQL injection and cross site scripting. - Employing a default deny policy on firewalls at their network perimeters. This policy involves blocking all network traffic except traffic that is explicitly allowed. - Employing effective security practices on services requiring authentication, including password aging, password complexity, authentication delay and automatic lockout on repeated failed login attempts. - Employing intrusion prevention at the network perimeter to block attacks on key services accessible from the Internet including Web servers and mail servers, while allowing legitimate traffic to pass. - Monitoring servers and security devices 24x7x365 for security issues and requiring preventative actions to be taken on security threats in real time. - Regularly testing the organization's security posture via vulnerability scans and penetration tests.
Online consumers also need to take precautions, not only during the holiday season but whenever they are making online purchases. "E-commerce always increases around this time of the year, and with an increase in e-commerce comes an increase in criminal activity," said Jackson. Security Tips for Online Consumers Jackson recommends the following shopping tips for online consumers: