The Verizon 2016 Data Breach Investigations Report (DBIR) is out, and the news is still bad, just like last year, the year before, and the ten years before those years. The DBIR states that 63% of data breaches in the past year involved weak, stolen, or default passwords. Notable too, the top attack pattern aimed at getting credentials to enable a breach was Web App Attacks. These attacks alone resulted in 1,429 breaches with confirmed disclosure of data.
On the DDoS front, DBIR reports 9,630 attacks, putting DDoS in third place behind “miscellaneous errors” (11,347), and “privilege misuse” (10,940). Much of the privilege misuse is mostly attributable to insider situations and the occasional collusion with an outsider.
The intersection of stolen credentials with data breach and account take-over fraud has been well-established for years now. With various high-profile breaches involving widely used email services, there is a huge source of usernames and passwords for the taking by a hacker. The sad part of this is that it is not uncommon for the typical user, in order to avoid forgetting their password, uses the same one everywhere, often with the compromised email address as the username. You can find out if your email has been “pwned” by checking at https://haveibeenpwned.com/ . For example, punching in “firstname.lastname@example.org” gives the unhappy result that john123 and his password are found on eleven different sites.
Now, it’s easy to set up an attack on any sort of site like online banking, brokerage, retail, and go on trying the pwned credentials. Naturally, the hit rate is not that high, but with bots doing it, who cares? If the attack succeeds one time in a million, this can still produce a pretty good haul of account takeovers. And account takeovers then lead to data breach and hopefully for the attacker, financial fraud too.