.........Online Shopping Season - The Stuffed Turkey Effect
Data centre security company Imperva have analysed attack traffic data over Black Friday and Cyber Monday and have found that:
Cyber Monday had a huge spike in attack volumes worldwide, with some very large attack campaigns originating in Ukraine, while Black Friday did not spike.
During Black Friday, attacks originating in the US were very low in quantity. This is called “the stuffed turkey effect”
90% of the attacks observed were SQLi and XSS.
Nothing gets me into the holiday spirit like a nice number crunching exercise. This is especially true after our previous blog, where we looked at last year’s holiday season attacks.
To have a better understanding of how attackers behave during the holiday online shopping season, we gathered data from our Threat Radar Community Defense service, where customers opt in to send us scrubbed attack information which we then use to analyze and enhance defense mechanisms. The data is therefore of real attacks that happen in the wild on different enterprise network data centers distributed across the world.
Data Analysis
While some of us over here expected to see a spike on Black Friday on November 29th, we were surprised to learn that Cyber Monday was the milking cow for attackers this year. While this may trigger research on the effect of stuffed turkey on hacking campaigns – we decided to focus on data that we already have.
On Cyber Monday, observed web attacks spiked at 279,000 attack campaigns on December 1st (an attack campaign is a correlation of a set of attack incidents spawned by the same attacker or attacking group). Needless to say that hackers were focused on that day.
Figure: Web attack campaign volumes during the holiday shopping season
In a second digest of the data, we looked only at attacks originating in the US, to better understand the “stuffed turkey effect” on cyber-attacks. The results shown below demonstrate a drop in overall attack campaigns originating from the US on Black Friday on November 29th.
Figure: Web attack campaign volumes originating in the US
To get a better understanding about the attack mix, we broke down the data into 2 charts. One for attack vector and one for geographic origin. The results were inconclusive regarding the geo mapping in terms of an obvious trend, although we did find some heavy and prolonged attacks coming specifically from Ukraine. On the vector front while we were not surprised, it is worth mentioning that 57.3% of all attacks observed were SQL Injection attacks, 33.1% were Cross Site Scripting attacks.
Figure: Attack vector and source geographic distribution
The reason that these two numbers are important, is that they make up 90.4% of all attacks, using attack vectors that are considered well known and well researched and nevertheless – attackers are still using them for the majority of the attacks.
It is also important to mention that because this data comes from Imperva SecureSphere gateways that are deployed in the wild, they are normally behind IPS systems, and Firewalls and other defense measures. The fact that we still see all of these attacks mean that other controls are either not configured to block or are incapable of identifying these attacks in an accurate manner.
What have we learned?
Attackers are trending with world events, when online shopping season is in play, attackers focus on it in an attempt to break systems or steal data
Black Friday results in less attacks than expected, especially in the US.
There is still an unfortunate and disproportionate amount of “classic” web attacking vectors that hackers are using, which means the threat is very high. Not only that, we learn that non-WAF solutions may be ineffective in identifying and blocking them