While cybercrime and data breaches have become increasingly common, there has been a disturbing trend taking place in which cyber criminals have been shifting focus to the “long tail.” To understand the long tail, imagine a graph depicting a distribution of businesses and agencies – the “X” axis shows the size of the business (descending from large to small), while the “Y” axis depicts its revenue. The start of the graph is where you find America’s largest companies: Google, Facebook, Amazon, etc. These are massive companies employing some of the world’s largest workforces, generating massive amounts of revenue. After that, there’s a steep decline, as revenue drops alongside the number of employees, before the curve flattens out into a long tail. Inside the long tail you’ll find supply chain nodes, retailers, local businesses and, finally, near the end, the smallest mom-and-pop shops.
Previously, bad actors focused mostly on the top of that curve. A single hack could result in the exfiltration of massive amounts of data, generating endless opportunities for identity theft, fraud, account takeovers, or other criminal acts. When Yahoo was hacked in 2013, data was exfiltrated affecting 3 billion accounts, including email, Tumblr, Fantasy and Flickr – three times more than originally reported. While that hack may have set a record for sheer volume of data, a series of security breaches on Marriott Hotels between 2014-2018 was even more troubling. The breaches resulted in cyber criminals gaining access to addresses, phone numbers, birth data, reservation information, and even passport numbers on some 500 million guests. Other hacks resulted in the exfiltration of data that could tie anonymous identities to personally damaging online activity. When Adult Friend Finder was hacked in 2016, more than 400 million accounts were accessed. Millions of people suddenly found themselves sweating over the prospect of having their more lurid online activities publicly exposed.
These stories generated massive legal and PR nightmares. Boardroom executives started to take notice, and large companies are taking stronger steps to protect themselves. Corporations have started to arm themselves with the most up-to-date protection services, and IT budgets have skyrocketed.
At the same time, cyber criminals have improved their techniques. Bad actors have become more well-organized and have accessed sophisticated tools, such as automated scanners that search for known vulnerabilities, and automatic crawlers that search for open devices and are able to exfiltrate unprotected data without the intervention of a user. What’s more, as processing power improves, even simple password-cracking programs multiply in efficiency – with a single algorithm, a program can test 8.2 billion passwords per second.
The increasing ease with which cyber criminals are able to target vast numbers of devices and users, combined with heightened security and scrutiny of corporate IT systems, has resulted in a dangerous new trend: Cyber criminals are increasingly turning away from large businesses and targeting supply-chain nodes and small- to intermediate-sized businesses.
This “long tail” of the business market represents an attractive target to bad actors – they’re often unaware of the risks posed to them, and their IT infrastructure and security protection is often woefully underprepared compared to large corporations. Part of their vulnerability may arise from their unfamiliarity with digital channels, but it also arises from a comparative lack of resources. Furthermore, due to the improvements in automation, cyber criminals can target a large volume of these businesses to achieve the same output as a single large hack, without raising as much attention from high-profile businesses. Small-business breaches are often ignored or not reported by the affected company or the media.
In 2018, 4iQ discovered nearly four times as many breaches as in 2017. At the same time, the average breach size was 4.7 times smaller. This is a direct result of the trend toward high-volume attacks on smaller businesses. Furthermore, an increasing amount of these breaches concern identity-based criminal activity. There has been a 71 percent increase in underground ID-based criminal activity, with the number of circulating records increasing 20 percent to 3.6 billion.
Part of the trend has involved increasingly recirculating bigger packages of personally identifiable information, adding more information each time to create a snowball effect. Known as “Combo Lists,” these databases often include information such as email addresses, passwords, passport numbers, healthcare records, prescription purchases, insurance information, geo-location data, shopping habits, political views, and more. The largest of these lists contain as much as 1.8 billion credentials. Once a cybercriminal has access to such a list, they can feed it into an automated program to test these username and password combinations for the purposes of account takeovers.
A significant number of these breaches are due to “accidental exposures.” Accidental exposures can occur in a variety of ways – a typical example concerns databases and servers being left open during cloud migration. When a device is left open, it becomes susceptible to automated crawlers that detect the open device and exfiltrate leaked data. Leaked data may then get added to previous combo lists, resulting in a rapid dissemination of personally identifiable information.
As part of our signature 2019 4iQ Identity Breach Report, we’ve analyzed these trends in detail, making our findings publicly available for the betterment of cybersecurity around the world. While law enforcement agencies have been improving their security awareness and enforcement mechanisms as well, it is important that the private sector arm itself with awareness of these prevailing trends. Supply-chain nodes and small businesses are especially vulnerable, and should take precautions to ensure that they modernize and update their cybersecurity systems. Finally, consumers should Invest in identity theft protection services that monitor and send alerts when credentials or personally identifiable information are exposed in the deep and dark web.