Cyber-Criminals Using Automated Tools to Launch Multiple Attacks on Businesses
The average large business sees 27 attacks per minute hitting its Website. Attackers can use automation technologies to generate up to seven attacks per second, or 25,000 attacks per hour.
Security firm Imperva uncovered these figures after analyzing more than 10 million Web application attacks that targeted Websites belonging to 30 large businesses and government agencies between January 2011 and May 2011, according to the report released July 25. The Web Application Attack Report (WAR) also analyzed anonymized traffic.
Cyber-criminals are increasingly using automation and botnets to carry out their attacks, the report found. IT departments aren't the only ones that rely on automated tools to speed up operations, after all. The way criminals are automating their attacks is "one of the most significant innovations in criminal history," Rob Rachwald, director of security strategy at Imperva, in a blog post.
"You can t automate car theft or purse snatching -- but you can automate data theft," Rachwald wrote, predicting that cyber-crime will soon exceed physical crime in terms of financial impact as more attackers rely on automation.
While some of the attacks called for highly complex programs, many were launched by relatively simple scripts, the researchers found. Attackers could point the single script at a large number of targets to launch simultaneous attacks or to attack several sites in sequence. Many of the scripts are readily available with instructions on how to use them on various sites online.
Many of the scripts are also based on the Metasploit penetration testing platform, a legitimate security testing tool often used by cyber-criminals to uncover security holes, Imperva found. The tool comes with hundreds of automated exploits and malware payloads that attackers can use.
Attackers are likely to combine several techniques instead of relying on a single attack method, Imperva's researchers discovered. Directory traversal, a method used to identify what files are on the system and to access those files that weren't intended to be publicly accessible, may be used during the "reconnaissance phase" before launching an exploit, such as a remote-file-include (RFI), Imperva wrote in its report.