According to Akamai, and its latest Summer 2018 SOTI (State of the Internet) report, which is of course the winter time-frame for us here in the Southern Hemisphere, "analysis of current cyber attack trends for the six month period from November 2017 through April 2018 reveals the importance of maintaining agility not only by security teams, but also by developers, network operators and service providers in order to mitigate new threats".
Hospitality industry vs bots: analysis of fraud attempts
Akamai's report shows the use of bots to abuse stolen credentials "continues to be a major risk for Internet-driven businesses, but data from this report reveals that the hospitality industry experiences many more credential abuse attacks than other sectors".
"Nearly 40% of the traffic seen across hotel and travel sites is classified as 'impersonators of known browsers', which is a known vector for fraud.
"Geographical analysis of attack traffic origination reveals that Russia, China and Indonesia were major sources of credential abuse for the travel industry during the period covered by the report, directing about half of their credential abuse activity at hotels, cruise lines, airlines, and travel sites.
"Attack traffic origination against the hospitality and travel industry from China and Russia combined was three times the amount of attacks originating in the US."
Martin McKeay, senior security advocate, Akamai, and senior editor of the State of the Internet / Security report, said: "These countries have historically been large centres for cyber attacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud.".
The rise of advanced DDoS attacks highlights need for security adaptability
The report continues, noting that "while simple volumetric DDoS attacks continued to be the most common method used to attack organisations globally, other techniques have continued to appear".
"For this edition of the report, Akamai researchers identified and tracked advanced techniques that show the influence of intelligent, adaptive enemies who change tactics to overcome the defences in their way.
"One of the attacks in the report came from a group that co-ordinated their attacks over group chats on STEAM and IRC.
"Rather than using a botnet of devices infected with malware to follow hacker commands, these attacks were carried out by a group of human volunteers. Another notable attack overwhelmed the target’s DNS server with bursts lasting several minutes instead of using a sustained attack against the target directly.
"This added to the difficulty of mitigating the attack due to the sensitivity of DNS servers, which allows outside computers to find them on the Internet. The burst system also increased difficulty by fatiguing the defenders over a long period of time."
McKeay added: "Both of these attack types illustrate how attackers are always adapting to new defences to carry out their nefarious activities.
"These attacks, coupled with the record-breaking 1.35 Tbps memcached attacks from earlier this year, should serve as a not-so-gentle reminder that the security community can never grow complacent."
Other highlights from Akamai’s Summer 2018 State of the Internet / Security: Web Attack report include:
- Once attacked, it is extremely likely an organisation will be attacked again – companies that were attacked were targeted 41 times on average, with one organisation suffering from 884 DDoS attacks in that timeframe.
- The biggest DDoS Akamai has seen to date – Akamai saw 7822 DDoS attacks during this time period (a 16% increase in total DDoS attacks). This 1.35 Tbps attack against a software development company made use of memcached servers as reflectors. To put this in perspective, the TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic. This attack was, arguably, the largest seen on the Internet to date.
- The gaming industry has continued to be the single largest target of DDoS attacks that Akamai defends against. The majority of these attacks appear to stem from the people using systems affected by the attacks. In other words, it’s mainly gamers attacking the sites out of frustration or hoping to gain an edge on their competitors.
- So where are all these attacks coming from? The answer is complicated. Reflection attacks, botnets, and the ease of spoofing with UDP mean that determining the location of the attacker is difficult based simply on the traffic the defender sees. Tracing the DDoS traffic back to the attacker is difficult, expensive, and time consuming, not to mention unprofitable.
Web application attacks:
- Over this six-month period, Akamai tracked 400,000,000 Web application attacks from around the globe.
- The most common Web application attacks continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application Firewall in the period.
- Local File Inclusion and cross-site scripting made up the majority of the remainder of attacks, responsible for 34% and 8% of all attacks, respectively.