Spear Phishing More Profitable Than Mass Spam for Cyber-Criminals

A recent report from Cisco suggests that cyber-criminals are abandoning large-scale spamming attacks in favor of more profitable spear-phishing campaigns.

Cyber-criminals are switching gears from large spamming operations to more targeted attacks, according to a new report from Cisco Systems.

Targeted attacks are turning out to be far more profitable than sending spam indiscriminately, Cisco said during a press and analyst event on June 30. There has been a significant decline in revenues generated from mass spam and phishing campaigns, according to the report from Cisco Security Intelligence Operations.

Worldwide revenues of high volume spamming decreased from $1.1 billion in June 2010 to $300 million in June 2011, or a drop of two-thirds. In comparison, revenues for targeted attacks quadrupled from $50 million to $200 million over the same time period, Cisco said in its report.

Targeted ttacks "are difficult to protect against and have the potential to deliver the most negative impact to victims," said the report.

Already 2011 should be known as "year of the breaches," Patrick Peterson, a Cisco fellow and author of the report, said at the press event. The number of high-profile breaches this year has made it clear that criminals are utilizing targeted attacks "very successfully," he said.

Several RSA Security employees received an Excel spreadsheet masquerading as an employee directory that resulted in the data breach earlier this year. Attackers also sent a malicious document claiming to be a copy of an article published in the American Bar Association's Antitrust Source newsletter to select individuals working with the United States government this spring.

Attackers are moving away from mass attacks because of low conversion rates, according to the report. Spam operations have always relied on the concept to cast a wide net in order to catch a few people who will fall for the scam. Since the upfront costs aren't that high for the cyber-criminal, even getting a handful of victims was profitable. However, Cisco researchers found that the "value per victim" in a targeted attack was roughly 40 times higher than the one from a mass attack and conversion rates were much more attractive.

Targeted spearphishing attacks aren't that different from large-scale spam and phish operations as they generally rely on e-mail messages with malicious file attachments or Web links. However, criminals carefully research the intended recipients of the e-mail to optimize the e-mail in a way to make it more likely the user gets tricked. The attackers collect information from social networking sites, intercepted e-mails, press releases and plain Internet searches.

Fully 70 percent of those who see a targeted e-mail message opened it and half of those clicked through to the malicious Web site or opened the attachment. Scammers generally send out less targeted spam messages than in a mass spam attack, but make more per campaign because of the higher likelihood of fooling victims.

"Spearphishing attack campaigns are limited in volume but offer higher user open and click through rates. With these constraints, cybercriminals are increasingly focusing on business users with access to corporate banking accounts to make sure they're seeing a sufficient return per infection," the report said.

The report compared the two types of attacks. In a typical large-scale operation, the attacker may send out a million e-mails. While most will be blocked by spam filters and other security tools, enough will get through that eight people may be victimized, costing the victims $2,000 each, or $16,000 total. Assuming it cost $2,000 for the attacker to set up the operation and send out the messages, the attack yields a profit of $14,000.

The numbers are different in a targeted attack, Cisco researchers found. The attacker may have sent out only 1,000 emails, and only two people were victimized, costing the victims $80,000 each. Because the attacker had researched the victims carefully, the victims are already more valuable because they have more access to information or other services, the researchers noted. Even if it cost the attacker $10,000 to conduct the research and set up the operation, the lower-volume attack actually would net them $150,000, Cisco data suggested.

Another reason for cyber-criminals to move away from large-scale spamming may be "botnet decapitation," Peterson said. Recent law enforcement activities to disrupt Rustock and Bredolab have limited the availability of spam-sending infrastructure, according to the report. Worldwide spam volumes have dropped 80 percent, from 300 billion to 40 billion a day.

The report, titled "Email Attacks: This Time It's Personal," was based on responses from 361 IT professionals from 50 countries.