A Halloween Haunting: Unveiling Cybersecurity’s Scary Stats

This Halloween, it’s not just ghosts and goblins sending chills down our spines—this season brings some truly spine-tingling stats about the state of cybersecurity in 2024.

In our “Spooky Security Stats” roundup, we’re revealing findings from several reports published over the past year, each exposing unsettling trends and ominous insights. From record-breaking ransomware attacks to hair-raising data breaches, these statistics serve as a grim reminder of the threats lurking in today’s digital landscape.

Brace yourself for a Halloween treat that highlights the unnerving reality of modern cybersecurity risks—consider this your trick-or-treat security style!

Hack-O-Lanterns: Phishing Schemes Lighting Up the Dark Web

According to a recent Darktrace report, the company detected 17.8 million phishing emails across its customer fleet between 21 December 2023 and 5 July 2024.

Alarmingly, 62% of these emails successfully bypassed DMARC verification checks, which are industry protocols designed to protect email domains from unauthorized use, and 56% passed through all existing security layers.

The report also revealed that double extortion ransomware is on the rise. As ransomware continues to be a top security concern for organizations, ransomware strains like Akira, Lockbit, and Black Basta are all adopting double extortion tactics, where data is exfiltrated within 12 hours of encryption, and victims are threatened with exposure unless the ransom is paid. This increases pressure on victims and complicates defenses against ransomware attacks.

Specters in the System: The Haunting Risk of Machine Identities

Another report by Oasis Security revealed that his Halloween, the real scare lurking in the shadows, isn’t ghosts–it’s non-human identities (NHIs) wreaking havoc.  NHIs such as service accounts, tokens, access, and API keys often linger unmonitored, making them prime targets for cyber threats.

In fact, 46% of organizations have confirmed breaches through NHIs, according to recent research from analyst firm Enterprise Strategy Group. Alarmingly, NHIs outnumber human users on average by a factor of 20x in modern enterprises. Also, as NHIs multiply at an alarming rate, 52% of companies expect their count to rise by over 20% in the coming year, according to the same report. In response, 83% of organizations are planning to increase their spending on non-human identity security, though many still struggle to effectively manage this expanding attack surface. 

Faces from the Grave: When Deepfakes Become Hauntingly Real

Critical Start’s report revealed that this Halloween season, a new breed of cyber threats cast an ominous shadow: deepfakes and scareware. Deepfakes—AI-generated digital apparitions—mimic voices, faces, and even full video sequences with unsettling accuracy, making it nearly impossible to discern between friend and foe.

Cybercriminals exploit these highly convincing forgeries to deceive people and organizations, resulting in: 

• 3,000% Surge in Deepfake Fraud Attempts: In 2023 alone, the number of deepfake fraud attempts has risen by a staggering 3,000%, raising significant concerns among cybersecurity professionals.
• 6.5% of All Fraud Cases: Deepfakes now haunt 6.5% of all fraud cases, undermining trust and creating confusion in various sectors.
• $1 Trillion in 2024: The financial specter of deepfake fraud is projected to reach $1 trillion globally in 2024, posing a serious challenge for organizations unprepared for this growing threat.

The AI Apparition: GenAI’s Ghostly Presence in Security Threats

Bugcrowd offered some insights on AI, saying these technologies have opened up a new attack vector in organizations. In a survey of 1,300 ethical hackers, 82% of hackers believe that the AI threat landscape is evolving too fast to adequately secure. Another 93% of hackers agree that companies using AI tools have created a new attack vector.

The report illuminated the rise of a surprising trend: the increasing prominence of hardware hacking. In the past 12 months, 81% of hardware hackers encountered a new vulnerability they had never seen before, and 64% believe that there are more vulnerabilities now than a year ago.

In response to the rise of AI, 83% of hardware hackers are now confident in their ability to hack AI-powered hardware and software, indicating a new potential avenue for exploitation. 

Fueled by AI-generated attacks, SlashNext researchers observed a 341% increase in malicious phishing links, BEC, QR codes, and attachment-based email and multi-channel messaging threats in the first half of 2024. The company also observed a 4,151% increase in malicious phishing messages sent since the launch of ChatGPT in November 2022.

A report my Menlo Security, called “ The Continued Impact of Generative AI on Security Posture,” also revealed that in the last half of 2023, the research team observed an 80% increase in attempted file uploads to generative AI websites. Also in a 30-day period in Q1 2024, 55% of the data loss prevention events detected by the company included attempts to input personally identifiable information into generative AI platforms.

Ghostly Gaps: Where Security Controls Disappear

According to Ontinue’s 1H 2024 Threat Intelligence Report, in Q1 alone, there were 8,967 published CVE records, with over 13,400 more awaiting publication. However, the most widely published vulnerabilities aren’t always the ones most exploited. At the start of 2024, the company witnessed a surge in zero-day vulnerabilities affecting Ivanti products, with three of them still actively exploited today.

This highlights the critical importance for organizations to stay aware of the software and hardware they use, ensure timely patching, and subscribe to vendor security bulletins. Patching once a month or quarter is no longer sufficient to maintain adequate security. 

A report by XM Cyber, found that identity and credential misconfigurations represent a staggering 80% of security exposures across organizations, with one-third of these directly endangering critical assets, making them prime targets for attackers to exploit.

The report highlights that while only 2% of exposures occur at choke points—locations where multiple attack paths intersect—these points are disproportionately dangerous, as they give attackers broad access to key systems. Organizations with poor security posture face six times more exposures (30,000) than high-performing peers (5,000). Businesses must focus on securing these choke points to close the most critical attack paths and efficiently mitigate risk.

It also showed that cloud environments are not exempt from the risk of exposure – 56% of critical asset exposures are in cloud platforms, with 70% of organizations vulnerable to attackers traversing from on-premise networks to cloud systems. Alarmingly, attackers can compromise 93% of critical assets in these cloud environments within just two hops.

Phantom Calls: Vishing Scams that Trick and Terrorize

Mobile security researchers at Zimperium are releasing intel on a new variant of the FakeCall malware. FakeCall employs a technique known as Vishing (voice phishing), in which fraudulent phone calls or voice messages are used to deceive victims into disclosing sensitive information.

This new variant has the ability to capture information displayed on a screen using the Android Accessibility Service. The variant is showing a strategic evolution in mobile security – evasive cyberattacks are now the new normal, as cybercriminals are becoming more sophisticated in their mobile phishing attacks.

The company also says that 82% of phishing sites now target mobile devices, highlighting how s cybercriminals are increasingly adopting a “mobile-first” attack strategy. Financial services organizations saw 68% of their mobile threats attributed to sideloaded apps. In fact, zLabs researchers found that mobile users who engage in sideloading are 200% more likely to have malware running on their devices than those who do not. APAC outpaced all regions in sideloading risk, with 43% of Android devices sideloading apps.

The report detected over 87K malware samples detected a month, which is a 13% increase Y-o-Y and 80% more spyware samples detected on enterprise devices.

Horror Stories: When APIs Leave the Door Unlocked

Salt’s State of API Security Report 2024 revealed that the threat of API attacks is growing, and traditional methods aren’t advanced enough to keep up with the rapidly evolving digital landscape. A whopping 95% of organizations experienced security problems in production APIs within the last 12 months, with 23% suffering breaches as a result of API security inadequacies.

Moreover, over one-third (37%) of the respondents, who all have APIs running in production, reported they do not have a current API security strategy in place, and the amount of APIs organizations have in their sprawl increased by 167% in the past year.

The research also showed how only 21% of the respondents believe that their current security approaches are effective in preventing API attacks, and the number of reported API incidents has more than doubled since 2023 from 17% to 37%. 

Yet, despite growing API traffic, only 7.5% of organizations have implemented dedicated API testing and threat modeling programs.