A recent report from Cisco suggests that cyber-criminals are abandoning large-scale spamming attacks in favor of more profitable spear-phishing campaigns.
Cyber-criminals are switching gears from large spamming
operations to more targeted attacks, according to a new report from Cisco
Targeted attacks are turning out to be far more profitable
than sending spam indiscriminately, Cisco said during a press and analyst event
on June 30. There has been a significant decline in revenues generated from
mass spam and phishing campaigns, according to the report from Cisco Security
Worldwide revenues of high volume spamming decreased from $1.1
billion in June 2010 to $300 million in June 2011, or a drop of two-thirds. In
comparison, revenues for targeted attacks quadrupled from $50 million to $200
million over the same time period, Cisco said in its report.
Targeted ttacks "are difficult to protect against and
have the potential to deliver the most negative impact to victims," said
Already 2011 should be known as "year of the
breaches," Patrick Peterson, a Cisco fellow and author of the report, said
at the press event. The number of high-profile breaches this year has made it
clear that criminals are utilizing targeted attacks "very successfully,"
employees received an Excel spreadsheet masquerading as an
employee directory that resulted in the data breach earlier this year.
Attackers also sent a malicious document claiming to be a copy of an article
published in the American
Bar Association's Antitrust Source
newsletter to select individuals working
with the United States government this spring.
Attackers are moving away from mass attacks because of low
conversion rates, according to the report. Spam operations have always relied
on the concept to cast a wide net in order to catch a few people who will fall
for the scam. Since the upfront costs aren't that high for the cyber-criminal,
even getting a handful of victims was profitable. However, Cisco researchers
found that the "value per victim" in a targeted attack was roughly 40
times higher than the one from a mass attack and conversion rates were much
Targeted spearphishing attacks aren't that different from
large-scale spam and phish operations as they generally rely on e-mail messages
with malicious file attachments or Web links. However, criminals carefully
research the intended recipients of the e-mail to optimize the e-mail in a way
to make it more likely the user gets tricked. The attackers collect information
from social networking sites, intercepted e-mails, press releases and plain
Fully 70 percent of those who see a targeted e-mail message
opened it and half of those clicked through to the malicious Web site or opened
the attachment. Scammers generally send out less targeted spam messages than in
a mass spam attack, but make more per campaign because of the higher likelihood
of fooling victims.
"Spearphishing attack campaigns are limited in volume
but offer higher user open and click through rates. With these constraints,
cybercriminals are increasingly focusing on business users with access to
corporate banking accounts to make sure they're seeing a sufficient return per
infection," the report said.
The report compared the two types of attacks. In a typical
large-scale operation, the attacker may send out a million e-mails. While most
will be blocked by spam filters and other security tools, enough will get
through that eight people may be victimized, costing the victims $2,000 each,
or $16,000 total. Assuming it cost $2,000 for the attacker to set up the
operation and send out the messages, the attack yields a profit of $14,000.
The numbers are different in a targeted attack, Cisco
researchers found. The attacker may have sent out only 1,000 emails, and only
two people were victimized, costing the victims $80,000 each. Because the attacker
had researched the victims carefully, the victims are already more valuable
because they have more access to information or other services, the researchers
noted. Even if it cost the attacker $10,000 to conduct the research and set up
the operation, the lower-volume attack actually would net them $150,000, Cisco
Another reason for cyber-criminals to move away from
large-scale spamming may be "botnet decapitation," Peterson said. Recent
law enforcement activities to disrupt Rustock and Bredolab have limited the
availability of spam-sending infrastructure, according to the report. Worldwide
spam volumes have dropped 80 percent, from 300 billion to 40 billion a day.
The report, titled "Email Attacks: This Time It's Personal,"
was based on responses from 361 IT professionals from 50 countries.