Online attackers concentrated their efforts on the recent Cyber Monday shopping period for maximum effect, with a large volume of attacks originating in Ukraine, according to new data from Imperva.
The US-headquartered data center security vendor analyzed data from its Threat Radar Community Defense service, which crunches real customer attack data to discern patterns in the wild.
It found that it was the Monday after Thanksgiving when attackers were most prolific, rather than the Black Friday immediately following the US national holiday.
Imperva director of security strategy, Barry Shteiman, explained the following in a blog post:
“On Cyber Monday, observed web attacks spiked at 279,000 attack campaigns on December 1st (an attack campaign is a correlation of a set of attack incidents spawned by the same attacker or attacking group). Needless to say that hackers were focused on that day.”
It’s not clear why attackers chose to focus their efforts on the Monday, although when Imperva looked at threats originating from inside the US only, there was a significant drop on Black Friday – which many Americans take off as holiday.
More interesting still was the geographic origin of attacks.
Although the largest number appeared to come from Germany (38.9%), followed by Poland (24.9%) and Canada (15.8%), it was Ukraine (10.1%) which Shteiman singled out as accounting for “some heavy and prolonged attacks.”
“While source of origin can be masked in many ways, in this case, the majority of attackers originating from Ukraine did not come from a Tor exit point or a known malicious proxy, which means that they are either attackers or are zombies owned by a botnet,” he told Infosecurity.
“The reality is that geo-mapping in correlation to attacks is never 100% verified, but since the volume was so high, it is fair to assume that a behavior was recognized.”
Another takeaway from the data is that SQL Injection (57.3%) and Cross Site Scripting (33.1%) attacks accounted for the vast majority spotted, which is doubly frustrating for Imperva given that customers would normally have deployed IPS, firewalls and other defenses.
“The fact that we still see all of these attacks mean that other controls are either not configured to block or are incapable of identifying these attacks in an accurate manner,” Shteiman said.