Breach’s WHID report also noted a shift in attack methodology in which hackers focused more on a web site’s large customer base in 2008, instead of targeting sensitive information within the web site’s database. This attack method turns a web site into a malware launching point when legitimate users visit the site. The report highlights one important factor -- the unknown. Twenty-nine percent of the incidents were reported without specifying the attack method. This lack of attack vector confirmation may be attributed to a combination of two main factors: lack of visibility of web traffic and resistance to public disclosure.
The 2008 WHID report identified multiple hacking-for-profit mechanisms. In fact, 19 percent of attacks were aimed at stealing personal information. Traded easily on the Internet, personal records are the easiest virtual commodity to exchange for money. In addition, the report found that criminals also exploited web sites for financial gain via planting malware and phishing, which comprised 16 percent and 5 percent of attacks in 2008, respectively.
Breach’s WHID report found that financial gain is not the only motivation for online attacks. The number one attack goal in 2008 was web site defacement. Used primarily to target political parties, candidates and government departments, ideologists often defaced a web site with a very specific message related to a campaign.
Corresponding with the ideology driven defacement noted in 2008, the WHID report also found that “Government, Security and Law Enforcement,” at 32 percent, was the top vertical market targeted by attackers. Internet-related organizations topped the list on the commercial side, including retail shops comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. In addition, financial institutions rose sharply in 2008 moving up to fourth place.