Cisco Security Intelligence Operations’ (SIO) research has found that “Cybercriminal business models have recently shifted toward low volume targeted attacks. With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations”.
Cisco SIO estimates that the Cybercriminal benefit resulting from traditional mass email based attacks has declined more than 50 percent, from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.
This change reflects a reduction in spam volume from 300 billion to 40 billion spam messages daily from June 2010 to June 2011. This reduction is consistent with low continued user conversion rates and is partially offset by increases in the average user spending on conversions”.
This decline has been offset by a small subset of mass attacks: scams and malicious attacks, which make up about 0.2 percent of total mass attacks and have been providing greater cybercriminal benefit. By using more personalization tools, the user conversion rates for the better crafted scams and malicious attacks have increased significantly in the last year. In addition, the average user loss caused by the malware or scam employed has increased because of the information shared.
Cisco’s Attack Classifications
As Cybercriminal activity continues to evolve, the specific attacks and their impact to organizations also change.
Mass attacks have been the basis of threats since the first days of distributed networks. Self propagating worms, distributed denial of service (DDoS) attacks, and spam are some preferred methods for achieving financial gain or business disruption.
The criminal creates a common payload and places it in locations that victims might access, often inadvertently. Examples include infecting websites, exploiting security vulnerabilities in file formats such as PDFs, sending emails to make a purchase, and mass Phishing of banking credentials. Traditional anti-threat methods rely on several factors, including quickly identifying the threat when first reported or seen in the network and then blocking similar threats in the future. If criminals infiltrate the security layers far enough to reach their targets, they’ll achieve the desired result in sufficient quantities to make this business model lucrative. A significant segment of this type of attacks is the burgeoning number of scams and malicious attacks. As part of the evolution of the criminal ecosystem, these attacks are becoming highly focused. Regardless of the vector or delivery engine including short message service (SMS), email and social media, criminals are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position. Examples of these scams include:
- SMS financial fraud scams to specific locales
- Email campaigns that use URL shortening services
- Social media scams, where the criminal befriends a user or group of users for financial gain
When only a few threats are sent, these strategies may be effective in reaching the victims, but may not always prove cost effective to the criminals. Yet, for reaching high value victims, this approach is increasingly being leveraged by smart, organized, and profit driven criminals. When criminals are specific about their victim profiles, these threats are referred to as Spearphishing attacks.
Spearphishing attacks are aimed at a specific profile of users, often high ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content. The Spearphishing email may appear to relate to some specific item of personal importance or a relevant matter at the company for instance, discussing payroll discrepancies or a legal matter. According to Cisco SIO research, more than 80 percent of Spearphishing attacks contain links to websites with malicious content. Yet, the linked websites are often specially crafted and previously unseen, making them complex to detect.
|Cybercriminal Benefit (US$ million)||1 Year Ago||Current|
|Scams and Malicious||$50||$200|
Targeted attacks are highly customized threats directed at a specific user or group of users typically for intellectual property theft. These attacks are very low in volume and can be disguised by either known entities with unwitting compromised accounts or anonymity in specialized botnet distribution channels. Targeted attacks generally employ some form of malware and often use zero day exploits in order to gain initial entry to the system and to harvest desired data over a period of time. With these attacks, criminals often use multiple methods to reach the victim. Targeted attacks are difficult to protect against and have the potential to deliver the most potent negative impact to victims. While potentially similar in structure, the major differentiator of targeted attacks relative to Spearphishing attacks is the focus on the victim. A targeted attack is directed toward a specific user or group of users where as a Spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. Targeted attackers often build a dossier of sorts on intended victims gleaning information from social networks, press releases, and public company correspondence. While Spearphishing attacks may contain some personalized information, a targeted attack may contain a great deal of information which is highly personalized and generally of unique interest to the intended target.
A well publicized example of a targeted attack is the Stuxnet attack, a computer worm discovered in July 2010 which specifically targeted industrial software and equipment. Stuxnet exploited a vulnerability in the way that Windows handles shortcut files, allowing the worm to spread to new systems. The worm is believed to be purpose built to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. Stuxnet’s cleverness is in its ability to traverse non-networked systems, which means that even systems unconnected to networks or the Internet are at risk. Operators believed that a default Siemens password (which had been made public on the web some years earlier) could not be corrected by vendors without causing significant difficulty for customers. The SCADA system operators might have been laboring under a false sense of security since their systems were not connected to the Public Internet, they might have believed they would not be prone to infection.
Federal News Radio’s website called Stuxnet “the smartest malware ever.” In January 2011, Cisco SIO detected a targeted attack message sent to senior executives at a large corporation. This campaign was sophisticated, in that it used previously unseen resources. The message was sent by an unknown party through a legitimate but compromised server in Australia. The email message was seemingly legitimate. The embedded action URL was hosted on a legitimate but compromised law blog. When clicked, the user’s browser was directed to a previously unknown copy of the Phoenix exploit kit. After the exploit was successful, it installed the Zeus Trojan on the victim’s computer.
Economics of Attacks
The economics of a typical campaign underscore the difference between mass and targeted attack business models.
For an individual campaign, the economics of a Spearphishing attack can be more compelling than for a mass attack. The costs are significantly higher, but so too are the yield and benefit. Cisco SIO estimates the costs of a Spearphishing attack at five times the cost of a mass attack, given the quality of the list acquisition, botnet leased, email generation tools, malware purchased, website created, campaign administration tools, order processing back-end infrastructure, fulfillment providers, and user background research activity required. This significantly higher cost basis and greater effort requires highly specialized skills. It also requires higher yields to be effective.
Cybercriminals are balancing competing priorities: Infect more users or keep the attack small enough to fly under security vendors’ radar? Spearphishing attack campaigns are limited in volume but offer higher user open and click through rates. With these constraints, Cybercriminals are increasingly focusing on business users with access to corporate banking accounts, to make sure they’re seeing sufficient return per infection. This is why the average value per victim can be 40 times that of a mass attack. Ultimately, this approach is justified:
“Profit from a single Spearphishing attack campaign can be more than 10 times that of a mass attack”
The potential returns are causing a shift in Cybercriminal business models. Presently, the opportunity cost of spamming may not be worth the rate of return due to increases in both anti-spam efficacy and user awareness. Instead, Cybercriminals are focusing more time and effort on different types of targeted attacks, often with the goal of gaining access to more lucrative corporate and personal bank accounts and valuable intellectual property.
To make their attacks more personalized, some Cybercriminals have focused on infiltrating email marketing vendors, since they have valid names, email addresses, and other attributes. When used in scams and malicious attacks, whether on a mass scale or in Spearphishing attacks this personal information increases the likelihood of users opening an attack email. The correlation of lower mass spam with recent data breaches is interesting, but the real takeaway is that attacks are becoming more personalized.
Impact of Personalized Attacks
Spearphishing attacks, though lower in volume relative to other types of threats, have serious consequences for today’s enterprises. The majority of Spearphishing attacks ultimately lead to financial loss, making them incredibly dangerous to victims and incredibly valuable to Cybercriminals. Spearphishing uses customization methods superior than those used in mass scams and malicious attacks, resulting in significantly higher user open and conversion rates. These success factors have made Spearphishing attack infections more effective, and hence more commonplace, which is corroborated by Federal Trade Commission estimates of 9 million Americans having their identities stolen each year.
The value per victim in Spearphishing attacks can vary substantially, with the mean and median values being quite high. For example, according to primary consumer research conducted by Javelin Strategy & Research, the mean identity fraud amount per victim was $4,607 in 2010. If we use a conservative estimate of user loss, $400, the total Cybercriminal benefit resulting from Spearphishing attacks amounts to $150 million in June 2010 on an annualized basis. This figure has tripled from $50 million a year ago; it is expected to continue increasing in the coming months as Cybercriminal activity returns to its prior business levels.
Impact of Targeted Attacks
The malicious nature of targeted attacks causes them to be very expensive to society in general and to individual organizations specifically. The cybercriminal benefit from a targeted attack, while substantial, is not easy to estimate because it is highly variable, based on the specific victim and intellectual property compromised. However, the cybercriminal benefit is a subset of the overall cost to the victim organization, which also depends heavily on the organization’s reputation and status. The organizational costs resulting from targeted attacks can vary. According to the FBI, these costs can range from thousands to hundreds of millions USD.
Similarly, the Ponemon Institute has estimated the potential cost per organizational data breach to range anywhere from US$1 million to US$58 million. As an example, a large gaming platform provider reported that the unauthorized access to its network that occurred in Q2 of 2011 has resulted in currently known associated costs of approximately US$172 million. Costs include personal information theft protection programs, insurance to cover identity theft losses, costs of “welcome back” programs, customer support costs, network security enhancement costs, legal and expert costs, and the impact on profits due to possible future revenue decreases.
In another example, a public payments processor company experienced a data breach resulting in millions of compromised user account credentials. A year later, the company reported related expenses totaling US$105 million. As per their 10-QSEC filing, “The majority of these charges, or approximately $90.8 million, related to:
- assessments imposed by MasterCard and VISA against us and our sponsor banks
- settlement offers we made to certain card brands in an attempt to resolve certain of the claims asserted against our sponsor banks (who have asserted rights to indemnification from us pursuant to our agreements with them)
- expected costs of settling with certain claimants with whom settlement discussions are underway
During the same timeframe from the intrusion to the 10-Q results, the company lost 30% of its value relative to the Standard and Poor’s 500 Index, or roughly $300 million in shareholder value. Ultimately, the corporate reputation is tarnished at a cost more significant than the costs of the monetary loss and remediation combined.
Overall Impact of Attacks
It’s clear that the shift in Cybercriminal business models has provided an interim benefit from lower threat activity. Organizations are only partially able to appreciate the reduction in Cybercriminal activity, though, as their costs can encompass far more than financial loss. To estimate these total losses, Cisco SIO conducted primary research with 361 organizations located globally to understand their perspectives.
The organizational impacts of attacks can be categorized as follows:
Financial: Financial loss directly to the Cybercriminals can range widely based on the specific attack; as a result, organizations cannot estimate the loss.
Remediation: The remediation costs of Spearphishing and targeted attacks are incurred by victim organizations. The administrative team must identify and remediate the compromised hosts; this can be challenging given the increasing use of surreptitious applications. Because of the complexity of current targeted attacks and the underlying malware, costs for remediation can be significant. Remediation costs include the time required to address the infected host and the corresponding opportunity cost of that time. With the organizations surveyed, Cisco observed that infected hosts take an average of two hours of dedicated effort to resolve. The cost basis of two hours of effort per resolution is specific to each organization, as is the corresponding opportunity cost of that time. Based on Cisco SIO research, organizations estimated that the direct remediation cost per infected user is $640, or 2.1 times that of the direct monetary loss.
Reputation: The negative reputation impact of attacks can be experienced over time by victim organizations and users. For example, building a brand typically takes years, but a negative event or news story, especially one that is highly visible, can quickly tarnish a company’s image. The direct impact can be a significant decline in business, sometimes even leading to the organization’s demise. Determining the true costs of adverse reputation impact can be challenging, as is estimating the value of an organization’s brand. Nevertheless, organizations have made it clear that adverse events can impact their reputation, which in turn can create a significant decline in business and shareholder value. Based on Cisco SIO research, organizations estimated that the reputation cost per infected user is $1,900, or 6.4 times that of the direct monetary loss.
Combined Impact: The overall costs of Spearphishing and targeted attacks to organizations are substantially more than their direct monetary loss to Cybercriminals.
While the costs can vary widely depending on the specific organization and attack, one point is clear: The overall costs to organizations can be significant. In addition, reputation management and remediation efforts can create a strain on the organization.
Cisco’s Conclusion to its research
The increased number of low volume targeted attacks has impacted users in many organizations, regardless of industry, geography and size. Their prevalence has caused both a related increase in criminal financial benefit and impact on victimized organizations. Organizations have to bear the burden of not only the monetary loss but also the cost of remediating infected hosts and the negative impact on their brand reputation. With the number of targeted attacks expected to increase, Cybercriminal activity will continue to evolve, as will its impact.
Download the report here.