A strange thing happened in 2014: Cyber attacks on the busiest shopping days of the year, Black Friday and Cyber Monday, declined, according to a new report from IBM.
Online retailers suffered 10 data breaches during the two-week period from Nov. 24 to Dec. 5, which includes Black Friday and Cyber Monday, and 72,000 records were compromised. In contrast, there were 20 breaches during the same period in 2013, with nearly 4 million records compromised.
Unauthorized access was the leading category of retail security incidents during the Black Friday and Cyber Monday period in 2014, IBM reported.
"The dramatic spike in ‘unauthorized access’ has a direct correlation to Heartbleed and Shellshock and also included some SSH brute force attacks," said John Kuhn, senior threat researcher at IBM Managed Security Services.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The total volume of stolen customer records for the year also fell in comparison with 2013. Sixty-one million customer records were stolen in 2014, IBM reported, down from 73 million in 2013. Stolen customer records include personally identifiable information (PII), as well as credit card information and email addresses.
IBM's analysis notes that the 2013 data is somewhat skewed because of the Target data breach. When IBM focused its data set on breaches of 10 million records or less, 2014 saw a 43 percent increase in stolen records.
Command Injection Attacks
Point-of-sale (PoS) malware is not the leading cause of retail security incidents, according to IBM. While the U.S. Secret Service believes more than 1,000 retailers have been infected by PoS malware such as Backoff malware, IBM found that command injection vulnerabilities were the leading root cause of retail security incidents in 2014. Retailers reported approximately 6,000 command injection incidents in 2014.
Kuhn told eSecurityPlanet that command injection attacks work against Web applications rather than databases.
"Essentially Shellshock was a command injection. It's simply injecting shell commands into a Web application with the hope that the backend system will execute the instructions," Kuhn said. "An attacker would be looking for a flaw on the retailer’s website to accomplish the attack, normally targeting PHP and CGI-based applications."
Data Analytics a 'Game Changer'
Looking forward into 2015, Kuhn noted that IBM anticipated more targeted attacks on the retail sector as it’s become a proven cash cow for cyber criminals.
"We see larger franchises becoming greater targets as they’re often connected across the same network, providing the ability for attackers to gather massive quantities of records in a central location," Kuhn said. "Data analytics will become one of the game changers in detection for retailers as cyber criminals continue to increase in sophistication."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.