Phishing and ransomware attacks are on the rise, and bad actors are baiting their lures with COVID-19 and vaccine-related themes, according to a Verizon Business 2021 DBIR report.

In an interview with Light Reading, Suzanne Widup, co-author of the DBIR report and senior principal of Threat Intel for Verizon Business, discussed the results of the annual Data Breach Investigations Report (DBIR). Notably, phishing and ransomware attacks increased by 11% and 6% in 2020, respectively.

"We saw very quickly once the lockdown happened that people doing phishing switched their lures to having COVID terminology in there to entice people because data was so scarce at the beginning. They made lures about more information and vaccinations," says Widup. "They're pretty good at the psychological aspect of getting people to click."

In addition, 61% of breaches involved credential data – 95% of organizations impacted by credential stuffing attacks experienced between 637 and 3.3 billion malicious login attempts in 2020.

"Social engineering has been phenomenally successful for [hackers] and so has ransomware," says Widup. "Last year we saw the change of tactics in ransomware groups where they went from just encrypting and demanding a ransom to taking a copy of the data and doing an extortion and threatening to do a data breach. At the same time, they want money for decrypting the data, so it's a one-two punch that they're doing."

The Colonial Pipeline ransomware attack was one of the most high-profile ransomware attacks this year and "forced the 5,500-mile pipeline to shut down for several days and threatened to disrupt domestic fuel supply for a week. The company reportedly paid nearly $5 million to allow it to reopen," reported Light Reading's Robert Clark earlier this month.

Misrepresentation, a form of social engineering which occurs when a hacker poses as a trusted source – such as a member of an organization's executive team – to convince people to give up their credentials, was also 15 times higher last year than in 2019.

Hackers love credentials as much as Americans love glazed donuts

Credentials are the "glazed donut of data types, everyone loves them" says Widup, who adds she can't take credit for the analogy that one of her DBIR co-author coined. "It's true, everyone likes credentials if they can get them because they can do so much throughout your organization by pretending to be someone. They can look like someone internal and won't set all the alarm bells off."

Figure 1: "Credentials are the glazed donuts of data types," says the Verizon DBIR report. Too bad they leave a bad aftertaste for the victims of social engineering attacks.
(Source: xandreaswork on Unsplash)

Unfortunately, many people reuse their credentials on multiple sites, which amplifies the impact from bad actors who have stolen those credentials. The financial and insurance industries are also hard hit by credential and ransomware attacks with misdelivery representing 55% of financial sector errors. Misdelivery occurs when data is sent to the wrong recipient.

Enterprises are also being threatened from the cloud – businesses are increasingly reliant on cloud applications, and attacks on web applications amount to 39% of all breaches.

"We are seeing more external cloud assets than on-premise assets that are involved in breaches," says Widup. "A lot of cloud email is being hacked quite a bit and resulting in data breaches … it's the credential reuse problem and that these companies don't implement two-factor authentication to make these re-used credentials less valuable."

About 85% of breaches involved a human element, and breach simulations revealed the median financial impact of a breach is $21,659 – 95% of incidents have an impact between $826 and $653,587. Human error is a big concern for the healthcare industry – 36% of these types of errors in healthcare are due to misdelivery.

Threats are tailored to different verticals

This year's DBIR included analysis of 29,207 security incidents, 5,258 of which were confirmed breaches, up from 3,950 breaches analyzed in the 2020 report. Data for the DBIR was collected from 83 contributors, with victims representing 88 countries; 12 industries and three world regions.

The 12 verticals studied each have their own unique security challenges – for the financial and insurance industries, for instance, 83% of data from breaches was personal data. By comparison, in professional, scientific and technical services, 49% of breached data was personal.

That's a wrap

The DBIR report isn't all doom and gloom – Widup says the report includes recommendations for how to address a range of different security threats. In the industry and pattern sections of the report, the authors provide suggestions on how to address the most common threats.

Clearly the authors recognize the potential heartburn-inducing reaction some readers might have to their report as the closing section starts with the advice to "Give yourselves, and each other, a pat on the back, or even better, a big virtual hug. All will be well."

— Kelsey Kusterer Ziser, Senior Editor, Light Reading