"Smaller businesses presume they are not a target. But we think attackers [are targeting] them because they have weaker security settings and are probably easier to penetrate. Plus they do work with larger organizations ... and attackers can use small companies as a stepping stone to larger ones or as an entry point into getting the information they want," says Vikram Thakur, principal security response manager for Symantec, which today released these latest findings as part of its 2013 Internet Security Threat Report. "They need to expect that."
In some cases, the smaller firm may be a supplier of key elements of a larger firm's intellectual property, too, which also makes it a juicy target, he says. Attackers also infiltrate smaller, easier-to-hack businesses in hopes that they will ultimately lead to bigger, more lucrative firms, he says. "One theory is they stay under the radar in smaller firms in hopes the smaller ones will be acquired by a larger company and then their networks will merge, and they'll have an existing foothold," Thakur says. "Another theory is that if they get in smaller companies, they can then use" its tunnel to a larger business partner's network, he says.
Last year, 50 percent of all targeted attacks hit businesses with less than 2,500 employees, and businesses with less than 250 employees accounted for 31 percent of all targeted attacks and represented the biggest growth sector in these attacks, according to Symantec's report.
[Broader spearphishing campaigns and watering-hole attacks look to compromise and gather intelligence on broader classes of targets. See Expect Less Targeting From This Year's Targeted Attacks.]
Symantec tallied an average of 116 targeted attacks each day around the world in 2012. Why the jump in targeted attacks? Thakur says that the 42 percent jump may, in part, have to do with the flood of waterholing-type attacks, where attackers infect legitimate websites that users of the targeted organizations would most likely frequent in hopes of infecting them. This can be more efficient than the traditional spearphish in terms of volume of infections: One waterhole attack by the so-called Elderwood Group last year spread malware to 500 different organizations in 24 hours via a human rights organization's website, for instance, Symantec says.
Jaime Blasco, labs manager at Alien Vault Labs, says part of the reason for the increase in targeted attack reports is that organizations are getting better at detecting that they are getting hacked. "I think the main reason is that most of the antivirus companies have more visibility about what is and what is not targeted," Blasco says. "I'm not saying that the number of targeted attacks hasn't increased, but it is true that companies, especially the small and [midsize] ones, are improving their detection capabilities."
The most-hit vertical industry in 2012 was manufacturing, with 34 percent of the targeted attacks, up from 15 percent in 2011. "This is the first year that government was not on top of the vertical list," Symantec's Thakur says.
Government and public sector organizations went from 25 percent of the targeted attacks in 2011 to 12 percent last year. Symantec says these shifts may be due to attackers moving "down the supply" chain in their attacks.
Meanwhile, the number of new vulnerabilities discovered in 2012 increased slightly from 4,989 in 2011 to 5,291 last year -- 425 of which were in mobile operating systems. The number of new zero-day vulnerabilities used in attacks was 14, versus eight in 2011.
Web-based attacks jumped by 30 percent last year, and the number of phishing sites posing as social networking sites exploded by 125 percent as attackers set their sights on social networks. And while mobile malware has grown by 58 percent the past year, according to Symantec's Thakur, 32 percent of all mobile threats now steal information from victims. "Data loss is the biggest concern and so is privacy," he says.
The full Symantec report is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.