The number of data breaches has been increasing steadily over the past few years. In fact, there were nearly 1.1 million data breaches in 2017, according to the Identity Theft Resource Center (ITRC). But fast forward, and the number of online data breaches experienced worldwide for the first two quarters of 2022 was recorded at 8.51 million (6X increase!) — and these numbers are expected to grow by end of the year.
Unfortunately, the worst part of this is that the expected cost of a data breach is on the rise, too. According to a report published by IBM, the data breach average cost increased from $4.24 million to $4.35 million, approximately 2.5%, in 2022.
Social Engineering Attacks
Cyber security practitioners consider social engineering and phishing attacks to be the number one threat to their organization, research by CS Hub has revealed. In the CS Hub Mid-Year Market Report 2022, 75 percent of respondents cited social engineering/phishing attacks as the top threat to cyber security at their organization.
First, let’s talk about what social engineering attack is defined as. A social engineering attack occurs when an individual attempts to trick another person into disclosing confidential information. These attacks often involve some form of deception, such as pretending to be a legitimate employee or customer.
Hackers use various methods to get victims to click on links, open attachments, or download files. The most common form of social engineering involves phishing emails, which trick users into giving away personal information. Once they gain access to the victim’s computer, they can steal personal information, such as credit card numbers, bank account details, and passwords.
Phishing emails often look legitimate, but they often contain links to malicious websites that collect sensitive information. These sites then use that information to steal identities and commit other crimes.
In 2018, there were 1.4 billion data breaches reported worldwide, according to Verizon’s 2019 Data Breach Investigations Report (DBIR) and this has increased by 30 percent thus far in 2022. And while many of those attacks involved hacking into computers, cybercriminals are increasingly using social engineering tactics to hack into systems.
In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a surprising example of just how convincing phishing attempts are becoming.
“The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways,” explains Bill Toulas of Bleeping Computer.
“The emails even used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded. On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us,” Toulas noted.
As expected, the fake site instructed users to enter their Office 365 credentials. The most clever aspect of the hackers was that it even had a built-in behavior so after they first input the credentials, it would display an error-message so the victim would enter their credentials twice and thus reducing the possibility of mistyping credentials.
Let’s deep dive a bit more into social engineering attacks and focus on unpacking phishing.
Phishing involves sending emails with malicious links or attachments that appear to come from a trusted source, as aforementioned. This type of attack is typically used by scammers who attempt to steal personal information or money. In contrast, social engineering attacks occur when individuals pretend to be someone else online. They might ask for sensitive information, such as usernames and passwords, or request access to private systems.
The most common phishing scam targets users of financial institutions, such as banks and credit card companies. These scams often involve fake websites that look exactly like the real thing. For example, if you receive an email asking you to update your account information, click on the link provided. If you enter your username and password, you could end up giving away your personal information to criminals.
In addition to being a nuisance, phishing scams can be costly. A recent study found that cybercriminals cost businesses $1 trillion each year. That’s because hackers steal sensitive data from unsuspecting employees and customers.
The best defense against phishing attacks is education. Employees should know what constitutes a legitimate email and what doesn’t. They should also be aware of the risks associated with clicking links in emails. If you receive an email that seems suspicious, delete it immediately. And if you suspect that your company has been hacked, contact your IT department immediately.
If you’re wondering what a phishing scam looks like, let’s revisit April 2021. Security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device.
Here’s how the attack works, and it’s actually pretty clever.
The target received a blank email with a subject line about a “price revision.” The email contained an Excel spreadsheet attachment that was actually an HTML file in disguise.
Upon opening the (disguised) HTML file, the target was re-directed to a website containing malicious code which triggered a pop-up notification telling the target they’d been logged out of Microsoft 365. The pop-up then encouraged them to re-enter their login credentials.
As expected—once the target did this action, they inadvertently sent their credentials off to the hackers.
This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.
If you think that hackers only use social engineering techniques to gain access to your network, think again! Even though this vulnerability is known for over 20 years, injections still rank number 3 in the OWASP’s Top 10 for web vulnerabilities. In 2022, 1162 vulnerabilities with the type “SQL injections” have been accepted as a CVE.
Hackers can also exploit vulnerabilities in databases by using SQL injection attacks. This type of attack allows them to insert malicious code into a database query.
The most common form of SQL injection occurs when users enter data directly into a web application’s text box.
For example, if a user enters “; DROP TABLE Students; --” into a text field, the hacker could execute the command “DROP TABLE Students;--” which would delete all students from the database.
SQL injection attacks occur when hackers use malicious code to trick a website into executing commands against a database. Hackers often insert malicious code into a website’s URL bar, making it appear as though the site is requesting information from a legitimate source. When a user clicks on the link, the malicious code executes and sends the hacker access to the victim’s account.
Another example is if a user enters his email address into a text box, the hacker could enter a command that would allow him to view the contents of the user’s inbox. Another popular method of attack is to place malicious code inside a hyperlink. If a user clicks on the hyperlink, he will be directed to a page where he can download malware.
SQL injection attacks are one of the most common types of cyberattacks because they are easy to execute and often go undetected.
A recent real-world example is Accellion, the creator of the File Transfer Appliance (FTA), a network node designed to transport large volumes of sensitive information.
Spiceworks reported “since January 2021, [Accellion] has acknowledged and started addressing the effects of a long-standing SQL injection vulnerability. [...] Accellion was a supply chain attack that has impacted several companies that have used the FTA device. The State of Washington, the Reserve Bank of New Zealand, the Investments Commission, the Australian Securities, telecommunications giant, Singtel, and safety software firm, Qualys, were among the targeted organizations.”
According to a 2020 report from IBM and the Ponemon Institute, the average cost of a data breach worldwide is $3.86 million, and in the U.S., that cost is $8.64 million. Your best bet to prevent a breach is to begin understanding your data estate from the inside out. Know your data; know your truth. Contact us today to learn how we can help you prevent a breach.