The long answer is more complex, but security vendor Trustwave offered some insights in its 2016 Trustwave Global Security Report, which was released last month.
"Criminals are getting a lot savvier," says Karl Sigler, Trustwave's threat intelligence manager. "We're seeing their tactics changing a little bit."
New bad news
In the study, Trustwave found that compromises affecting corporate and internal networks hit 40 percent in 2015, up from 18 percent from the year before.
"Criminals are discovering that if they can get themselves embedded into a corporate network, there's a wealth of monetizable data in those networks," says Sigler. This could also be a result of what he calls a "drastic decline" in the rate of point-of-sale breaches, which dropped by 18 percentage points from 2014 to 2015, according to the study. "Criminals don't go away. They just shift targets," he says.
The study also found a major jump in the use of malvertising. For example, 90 percent of traffic to the RIG exploit kit, which was the third most popular kit in 2015, came from malicious advertisements.
"Criminals have really embedded themselves in the advertising network," Sigler says. "It's an economical way to push their exploits to a much larger audience than they would through a compromised website or by sending social engineering emails out to a lot of people."
Two other reasons for the spread of malware in advertising include the complexity of ad networks and a lack of accountability, says Jonathan Voris, an assistant professor of computer science at the New York Institute of Technology. When a user visits an ad-sponsored site, "at least a dozen different websites are contacted in order to serve up that advertising content," he says. That creates a lot of points of entry for hackers, who also exploit the fact that no one is sure who should take responsibility for malware being put on a user's computer: Is it the website owner? The ad network? The computer owner? "The person who is running the website has to make an awfully large effort to vet all those content providers who are going to generate those ads," he says. "Some websites might say it's not their responsibility."
On the spam front, the volume of unwanted email touting pharmaceutical products is down, though it’s still the most prevalent type of spam. In 2014, ads pushing pills accounted for almost three-quarters of all spam messages, according to last year's Trustwave report. In 2015, that figure dropped to 39 percent. That’s a significant drop, but Trustwave’s data indicates that spam related to online dating sites and adult products is filling the void. Email dealing with those topics accounted for 30 percent of all spam in 2015, up from 6 percent in 2014.
Voris says the changes in spam subject matter could be due to improvements in the ability of spam filters to root out pharmaceutical spam. Also, trends change. "Buying drugs online was a new field maybe 10 to 15 years ago," he says. "Now online dating is a huge industry, and it's something a lot of people are involved in. . . . It makes sense [that hackers] have moved on to current trends."
Some things never change
The geographic distribution of attacks doesn’t seem to have shifted much from 2014 to 2015. Most of the activity is still in this part of the world: 35 percent of the data breach investigations Trustwave conducted last year were in North America, with 21 percent in the Asia-Pacific region, 12 percent in Europe, the Middle East and Africa, and 10 percent in Latin America and the Caribbean.
The attacks and targets stay in North America, particularly the U.S., because the country has "a lot of businesses and organizations that are very juicy targets for individuals,” Sigler says. Moreover, “connectivity and available bandwidth still make us a very very important target for criminals." he adds.
Attacks in Latin America are on the rise — though just by "a little bit," says Sigler — "as those countries become more connected and business are becoming more profitable."
The good news
Trustwave’s report does contain some good news: Self-detection of compromises rose from 19 percent to 41 percent. "That large jump shows you that organizations are starting to do things correctly. They're not just earmarking security as [a secondary concern delegated to] their IT departments. They're actually paying attention, and paying attention in a really important fashion," says Sigler. Still, 41 percent is not a majority, and Sigler says he hopes to see a majority of organizations detecting breaches on their own in the future, because the sooner a company detects a compromise, the sooner it can "contain the damage."
Ultimately, sticking to the security basics will go a long way toward keeping your systems safe, Sigler says. Even though attackers are savvy and getting savvier, if you set up firewalls and make sure you’re properly logging and monitoring your systems, your organization will rise above the "low-hanging fruits and easy targets criminals tend to target," he says. "It's not sexy, but a lot of organizations aren't even doing that much."