Brian Pennington

A blog about Cyber Security & Compliance


Denial-of-service attack

Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.


Verizon 2012 Data Breach Investigation Report – a summary with a PCI DSS view point

The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below.

The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

The introduction states,

The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets

Who is behind the data breaches? See below:

98% stemmed from external agents (+6%)
4% implicated internal employees (-13%)
<1% committed by business partners (<>)
58% of all data theft tied to activist groups
  • Outsiders are still dominating the scene of corporate data theft
  • Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011
  • Activist groups created their fair share of misery and mayhem last year as well and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches
  • Insider incidents declined yet again this year to a comparatively scant 4%

How do breaches occure?

81% utilized some form of hacking (+31%)
69% incorporated malware (+20%)
10% involved physical attacks (-19%)
7% employed social tactics (-4%)
5% resulted from privilege misuse (-12%)
  • Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records.

What commonalities exist?

79% of victims were targets of opportunity (-4%)
96% of attacks were not highly difficult (+4%)
94% of all data compromised involved servers (+18%)
85% of breaches took weeks   or more to discover (+6%)
92% of incidents were discovered by a third party (+6%)
97% of breaches were avoidable through simple or intermediate   controls (+1%)
96% of victims subject to PCI DSS had not achieved compliance (+7%)
  • Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
  • Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
  • Most breaches were avoidable without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.

While at least some evidence of breaches often exists, victims don’t usually discover their own incidents.

Percent of relevant organizations in compliance with PCI DSS requirements based on post-breach reviews conducted by Verizon IR team is below

PCI DSS details from the report

  • Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations
  • 96% of victims subject to PCI DSS had not achieved compliance
  • organizations both large and small seem to struggle the most with requirements 3, 7, 10, and 11.
  • When looking at the numbers on a year-over-year basis they see mixed progress:
      • Improved, Requirements 1, 2, 6, 7, and 9
      • Declined, Requirements 3, 5, 8, and 11
      • Remained the same, Requirements 4, 10, and 12
  • The most significant improvement was Requirement 1 (+11%) “Install and maintain a firewall configuration to protect data.”
  • The most significant decline was Requirement 5 (-24%) “Use and regularly update anti-virus software”.

Verizon’s conclusions and recommendations

“Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere. We’re more interested in having merit than having many.”

See the Verizon 2011 Payment Industry Compliance Report summary here


RSA’s February Online Fraud Report

In their February Online Fraud Report RSA shed light on one of the latest Fraud-as-a-Service (FaaS) offerings to be purveyed in the criminal underground, a new release of the “Darkness”, aka “Optima,” DDoS bot crimeware; a commercially available toolkit that not only allows fraudsters to launch DDoS attacks at a target of their choice, but which has also been enhanced with several Trojan-like functionalities.

The ‘Darkness’ DDoS bot is used to perpetrate DDoS attacks by flooding targeted websites with junk traffic originating from unwitting users’ systems. The first version of Darkness saw light in March 2009, and according to the Russian-based fraudster who posted the ad and claims to manage the Darkness “project,” the latest release contains several improvements such as enhanced flooding capabilities, an improved password grabber module, and a new module that installs SOCKS5 on victims’ systems. The vendor behind the ad claims to have been “verified” within Russian-speaking forums, and offers interested parties links to reviews of his product.

Darkness was originally coded to be the DDoS weapon of choice, but since then, several new modules have been authored for the bot, bestowing it with Trojan-like functionalities. And much like Trojan authors, Darkness’ coders have established a few security mechanisms to hinder their product’s operations from being shut down. Demonstrating the invisible hand of the market forces that govern the underground supply chain, this latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks.

The business of selling the Darkness bot

The Darkness bot is sold as a compiled binary, for which the customer can define three Command & Control (C&C) server domains  in order to ensure operational continuity in the event of a server takedown (by LE, ISPs, CERTs, etc.).

Darkness is sold as a FaaS offering with a customer receiving a complete, fully operational administration panel on the C&C domains of his choice.

While a “Minimum” package containing the DDoS bot binary is sold for $330, a “Brilliant” package offered for $850 includes unlimited free updates, a full set of modules and unlimited ‘free’ recompiles (“rebuilds”). Further demonstrating the FaaS business model, additional services and bot features are sold separately:

  • The Darkness bot’s source code (version 10) – $3,500-$5,000
  • Individual rebuilds – $35
  • Bot updates – $85
  • Socks5 module – $250
  • Key logger module – $55
  • Password grabber – $50
  • Hosts file editor – $35

After paying for the bot’s setup, all a fraudster would have to do is infect victims’ systems using an exploit kit of his choosing. As soon as a system is infected, it appears on the customer’s web panel, with such details as country, IP address, OS, and user privileges (admin vs. user account). According to the ad, “Excellent bilingual support (Ru, Eng)” is provided.

Interestingly, to avoid liability issues, the writer of the ad disclaims any use of the Darkness bot for purposes other than IT testing.

DDoS functionality

The Darkness bot offers four types of DDoS attacks:

  1. HTTP: An attack method whereby bots flood a targeted website’s resources by sending it an overwhelming number of standard HTTP (HyperText Transfer Protocol) requests.
  2. ICMP: An attack whereby bots send data packets over the ICMP protocol (Internet Control Message Protocol), and flood all the systems operating behind a network by targeting a range of IP addresses  instead of a single IP or domain. This method exploits network devices that have not been properly configured to thwart this kind of attack.
  3. SYN: An attack that initiates a great number of TCP connections, which can only be established when a three-way handshake between two systems (a client and server) has been completed. SYN attacks drain a targeted site’s resources by initiating numerous TCP connections, but never properly completing the three-way handshake. This results in the targeted site (server) needlessly ‘waiting’ for an acknowledgement (by the client) of the new TCP connection and its being rendered unavailable for legitimate traffic.
  4. UDP: Attacks deploying  the UDP protocol (User Datagram Protocol) rely on the fact that for every erroneous  UDP packet  sent to a given resource, an ICMP Destination Unreachable packet needs to be returned, serving as an “Error, Return to Sender” message. Flooding the targeted site with incoming UDP packets  results in a counter- flood of outgoing  ICMP Destination Unreachable packets, which ultimately render the site unavailable to legitimate users.

According to a Darkness ad reported in 2010, an average website can be brought down using only 30 infected systems (bots), while 1,000 would be required for large website. The writer of the Darkness ad further claims that a high-profile website like (Russian social network), which in November 2010 reported 100 million users, would require 15,000-20,000 bots.

Trojan-like modules

Modules added to the latest release of the Darkness bot (version 10), enhance the code with functionalities typical of Trojan codes, and are sold separately much like commercial Trojan add-ons:

  • Mini-Loader Function: The ad mentions that the bot has a “Mini-Loader function: it’s possible to load your  EXE files to the bots.” Thanks to this functionality, fraudsters looking to download a financial Trojan to an already-infected system can easily do so.
  • SOCKS5 Backconnect Module: SOCKS5 modules are often installed on victims’ systems by financial Trojans, enabling fraudsters to exploit users’ systems as proxies; a feature that allows fraudsters to ‘backconnect’ from a Command & Control server to a targeted website via the victim’s system. This module enables fraudsters to access a site while appearing to operate from the victim’s IP address.
  • Password Grabber Module: The password grabber offered by the bot’s vendor can grab passwords from 14 different applications, including various FTP sites, instant- messaging programs, and webmail programs, as well various online forms.
  • Hosts File Editor Module: This functionality enables botmasters to reroute victims to malicious websites by editing their hosts file, which is a local file that serves as the first point of reference when a user’s system searches for an internet resource, such as a domain or IP address. Brazilian Banker Trojans often edit victims’ hosts files to reroute them to phishing pages that mimic targeted banks’ websites.
  • Key logger Module: This module enables Darkness operators to log all the keystrokes entered online by their victims – a feature that is rarely used by today’s advanced Trojans, given their ability to intercept all HTTP and HTTPs communications (for example, the Zeus Trojan and its derivatives no longer keylog at all.)

Security countermeasures

Darkness’ coders have invested some effort in attempting to conceal their product’s operation. As mentioned above, each Darkness binary can be configured with up to three different C&C server domains, enabling backup of the bot’s resources in the event of a domain’s suspension or a server takedown. In addition, they claim that the bot can bypass Windows’ firewall, and that it employs “some trick to bypass DDoS Protections.” While the ad claims that Darkness’ processes and resources remain invisible to the user, a previous version of the bot has reportedly failed to disguise its processes.

DDoS attacks and hacktivism

This latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks initiated by various groups such as Anonymous, TeamPoison, AntiSec, LulzSec, and others. In 2011, high-profile victims of DDoS attacks waged by hacktivist groups included: Sony’s Playstation Network, the CIA’s website, the FBI, UK tabloid The Sun, the Spanish Police, and the government websites of Egypt, Tunisia and Turkey.

The latest set of DDoS attacks was launched last month by Anonymous (January 19, 2012), its victims comprising proponents of the controversial SOPA and PIPA bills, including the Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), Broadcast Music, Inc. (BMI), and the FBI.

The weapon of choice for some of these attacks was Low Orbit Ion Cannon (LOIC), a free open-source program that can also serve legitimate purposes, such as testing the durability of an Internet resource in the event of a DDoS attack.  To launch an orchestrated attack that leverages their power as a community, fraudsters installed the program on their system, willingly forming a large botnet that was controlled by a central Command & Control server. At a predefined time, the C&C server issued a command to the fraudsters’ systems to start flooding victim sites with junk traffic, resulting in their temporary ‘denial of service.’

Aligning itself with the invisible hand of demand, the “Darkness” bot satisfies fraudsters’ increasing motivation to unite against perceived foes, while also fulfilling a role of a user- friendly malware kit.

And “Darkness” is not the only Trojan kit from which fraudsters can launch DDoS attacks. In March 2011, the FraudAction Research Lab reported  on a DDoS plugin traced in a variant of the SpyEye Trojan. The DDoS plugin, however, is not sold as part of the SpyEye Trojan kit, but rather it was privately developed by an individual botmaster. Recent versions of the SpyEye builder are sold with a Software Development Kit (SDK) to facilitate the development of new modules by individual botmasters.

In light of a growing interest in the underground to launch DDoS attacks against financial institutions, data security companies, law enforcement agencies, and various government bodies, we are likely to see a growing number of DDoS-enabling modules and malware kits offered in the underground market in the near future.

Phishing Attacks per Month

The year 2012 has started off with a 42% increase in the number of phishing attacks launched, with 29,974 unique attacks identified by RSA in January. Last month also saw an increase in the total number of brands attacked and the number of attacks endured by individual brands.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in January, marking a 10% increase from the number of targets recorded in December 2011.

US Bank Types Attacked

Nationwide U.S. brands accounted for 68% of the brands targeted in the U.S. financial sector, marking a 14% decrease from December 2011. Also in January, the portion of targeted U.S. credit union brands increased 13% and U.S. regional bank brands increased 4%.

Top Countries by Attack Volume

The UK has remained the country targeted by the highest volume of phishing attacks for the fifth consecutive month with a 10% increase since last month. In total, the UK was targeted by 60% of the world’s phishing attacks in January. While the U.S. saw a 5% decrease in the volume of attacks, the volume targeting Canada increased by 2%. The countries that have consistently suffered the largest volume of phishing attacks over the past year have been the UK, U.S., Canada, and the Netherlands.

Top Countries by Attacked Brands

Combined, U.S. and UK brands accounted for 44% of January’s phishing attacks. Twenty-one (21) other countries absorbed a combined portion of 56% of the world’s attacks, with each country accounting for one to 4% of the world’s targeted brands.

Top Hosting Countries

In January, U.S.-based hosting entities exceeded their normal share of phishing attacks, hosting 82% of worldwide phishing attacks as compared to 50 – 70% of attacks in a typical month.

Previous RSA Online Fraud Report Summaries:

  • The RSA January Online Fraud Report Summary is here.
  • The RSA December Online Fraud Report Summary is here.
  • The RSA November Online Fraud Report Summary is here.
  • The RSA October Online Fraud Report Summary is here.
  • The RSA September Online Fraud Report Summary is here.


Email Attacks: This Time It’s Personal

Cisco Systems Logo
Image via Wikipedia

Cisco Security Intelligence Operations’ (SIO) research has found that “Cybercriminal business models have recently shifted toward low volume targeted attacks. With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations”.

Cisco SIO estimates that the Cybercriminal benefit resulting from traditional mass email based attacks has declined more than 50 percent, from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.

This change reflects a reduction in spam volume from 300 billion to 40 billion spam messages daily from June 2010 to June 2011. This reduction is consistent with low continued user conversion rates and is partially offset by increases in the average user spending on conversions”.

This decline has been offset by a small subset of mass attacks: scams and malicious attacks, which make up about 0.2 percent of total mass attacks and have been providing greater cybercriminal benefit. By using more personalization tools, the user conversion rates for the better crafted scams and malicious attacks have increased significantly in the last year. In addition, the average user loss caused by the malware or scam employed has increased because of the information shared.

Cisco’s Attack Classifications

As Cybercriminal activity continues to evolve, the specific attacks and their impact to organizations also change.

Mass Attacks

Mass attacks have been the basis of threats since the first days of distributed networks. Self propagating worms, distributed denial of service (DDoS) attacks, and spam are some preferred methods for achieving financial gain or business disruption.

The criminal creates a common payload and places it in locations that victims might access, often inadvertently. Examples include infecting websites, exploiting security vulnerabilities in file formats such as PDFs, sending emails to make a purchase, and mass Phishing of banking credentials. Traditional anti-threat methods rely on several factors, including quickly identifying the threat when first reported or seen in the network and then blocking similar threats in the future. If criminals infiltrate the security layers far enough to reach their targets, they’ll achieve the desired result in sufficient quantities to make this business model lucrative. A significant segment of this type of attacks is the burgeoning number of scams and malicious attacks. As part of the evolution of the criminal ecosystem, these attacks are becoming highly focused. Regardless of the vector or delivery engine including short message service (SMS), email and social media, criminals are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position. Examples of these scams include:

  • SMS financial fraud scams to specific locales
  • Email campaigns that use URL shortening services
  • Social media scams, where the criminal befriends a user or group of users for financial gain

When only a few threats are sent, these strategies may be effective in reaching the victims, but may not always prove cost effective to the criminals. Yet, for reaching high value victims, this approach is increasingly being leveraged by smart, organized, and profit driven criminals. When criminals are specific about their victim profiles, these threats are referred to as Spearphishing attacks.

Spearphishing attacks are aimed at a specific profile of users, often high ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content. The Spearphishing email may appear to relate to some specific item of personal importance or a relevant matter at the company for instance, discussing payroll discrepancies or a legal matter. According to Cisco SIO research, more than 80 percent of Spearphishing attacks contain links to websites with malicious content. Yet, the linked websites are often specially crafted and previously unseen, making them complex to detect.

Cybercriminal Benefit (US$ million) 1 Year Ago Current
Spam Attacks  $1,000 $300
Scams and Malicious  $50 $200
Totals $,050 $500

Targeted Attacks

Targeted attacks are highly customized threats directed at a specific user or group of users typically for intellectual property theft. These attacks are very low in volume and can be disguised by either known entities with unwitting compromised accounts or anonymity in specialized botnet distribution channels. Targeted attacks generally employ some form of malware and often use zero day exploits in order to gain initial entry to the system and to harvest desired data over a period of time. With these attacks, criminals often use multiple methods to reach the victim. Targeted attacks are difficult to protect against and have the potential to deliver the most potent negative impact to victims. While potentially similar in structure, the major differentiator of targeted attacks relative to Spearphishing attacks is the focus on the victim. A targeted attack is directed toward a specific user or group of users where as a Spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. Targeted attackers often build a dossier of sorts on intended victims gleaning information from social networks, press releases, and public company correspondence. While Spearphishing attacks may contain some personalized information, a targeted attack may contain a great deal of information which is highly personalized and generally of unique interest to the intended target.

A well publicized example of a targeted attack is the Stuxnet attack, a computer worm discovered in July 2010 which specifically targeted industrial software and equipment. Stuxnet exploited a vulnerability in the way that Windows handles shortcut files, allowing the worm to spread to new systems. The worm is believed to be purpose built to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. Stuxnet’s cleverness is in its ability to traverse non-networked systems, which means that even systems unconnected to networks or the Internet are at risk. Operators believed that a default Siemens password (which had been made public on the web some years earlier) could not be corrected by vendors without causing significant difficulty for customers. The SCADA system operators might have been laboring under a false sense of security since their systems were not connected to the Public Internet, they might have believed they would not be prone to infection.

Federal News Radio’s website called Stuxnet “the smartest malware ever.” In January 2011, Cisco SIO detected a targeted attack message sent to senior executives at a large corporation. This campaign was sophisticated, in that it used previously unseen resources. The message was sent by an unknown party through a legitimate but compromised server in Australia. The email message was seemingly legitimate. The embedded action URL was hosted on a legitimate but compromised law blog. When clicked, the user’s browser was directed to a previously unknown copy of the Phoenix exploit kit. After the exploit was successful, it installed the Zeus Trojan on the victim’s computer.

Economics of Attacks

The economics of a typical campaign underscore the difference between mass and targeted attack business models.

For an individual campaign, the economics of a Spearphishing attack can be more compelling than for a mass attack. The costs are significantly higher, but so too are the yield and benefit. Cisco SIO estimates the costs of a Spearphishing attack at five times the cost of a mass attack, given the quality of the list acquisition, botnet leased, email generation tools, malware purchased, website created, campaign administration tools, order processing back-end infrastructure, fulfillment providers, and user background research activity required. This significantly higher cost basis and greater effort requires highly specialized skills. It also requires higher yields to be effective.

Cybercriminals are balancing competing priorities: Infect more users or keep the attack small enough to fly under security vendors’ radar? Spearphishing attack campaigns are limited in volume but offer higher user open and click through rates. With these constraints, Cybercriminals are increasingly focusing on business users with access to corporate banking accounts, to make sure they’re seeing sufficient return per infection. This is why the average value per victim can be 40 times that of a mass attack. Ultimately, this approach is justified:

“Profit from a single Spearphishing attack campaign can be more than 10 times that of a mass attack”

The potential returns are causing a shift in Cybercriminal business models. Presently, the opportunity cost of spamming may not be worth the rate of return due to increases in both anti-spam efficacy and user awareness. Instead, Cybercriminals are focusing more time and effort on different types of targeted attacks, often with the goal of gaining access to more lucrative corporate and personal bank accounts and valuable intellectual property.

To make their attacks more personalized, some Cybercriminals have focused on infiltrating email marketing vendors, since they have valid names, email addresses, and other attributes. When used in scams and malicious attacks, whether on a mass scale or in Spearphishing attacks this personal information increases the likelihood of users opening an attack email. The correlation of lower mass spam with recent data breaches is interesting, but the real takeaway is that attacks are becoming more personalized.

Impact of Personalized Attacks

Spearphishing attacks, though lower in volume relative to other types of threats, have serious consequences for today’s enterprises. The majority of Spearphishing attacks ultimately lead to financial loss, making them incredibly dangerous to victims and incredibly valuable to Cybercriminals. Spearphishing uses customization methods superior than those used in mass scams and malicious attacks, resulting in significantly higher user open and conversion rates. These success factors have made Spearphishing attack infections more effective, and hence more commonplace, which is corroborated by Federal Trade Commission estimates of 9 million Americans having their identities stolen each year.

The value per victim in Spearphishing attacks can vary substantially, with the mean and median values being quite high. For example, according to primary consumer research conducted by Javelin Strategy & Research, the mean identity fraud amount per victim was $4,607 in 2010. If we use a conservative estimate of user loss, $400, the total Cybercriminal benefit resulting from Spearphishing attacks amounts to $150 million in June 2010 on an annualized basis. This figure has tripled from $50 million a year ago; it is expected to continue increasing in the coming months as Cybercriminal activity returns to its prior business levels.

Impact of Targeted Attacks

The malicious nature of targeted attacks causes them to be very expensive to society in general and to individual organizations specifically. The cybercriminal benefit from a targeted attack, while substantial, is not easy to estimate because it is highly variable, based on the specific victim and intellectual property compromised. However, the cybercriminal benefit is a subset of the overall cost to the victim organization, which also depends heavily on the organization’s reputation and status. The organizational costs resulting from targeted attacks can vary. According to the FBI, these costs can range from thousands to hundreds of millions USD.

Similarly, the Ponemon Institute has estimated the potential cost per organizational data breach to range anywhere from US$1 million to US$58 million. As an example, a large gaming platform provider reported that the unauthorized access to its network that occurred in Q2 of 2011 has resulted in currently known associated costs of approximately US$172 million. Costs include personal information theft protection programs, insurance to cover identity theft losses, costs of “welcome back” programs, customer support costs, network security enhancement costs, legal and expert costs, and the impact on profits due to possible future revenue decreases.

In another example, a public payments processor company experienced a data breach resulting in millions of compromised user account credentials. A year later, the company reported related expenses totaling US$105 million. As per their 10-QSEC filing, “The majority of these charges, or approximately $90.8 million, related to:

  1. assessments imposed by MasterCard and VISA against us and our sponsor banks
  2. settlement offers we made to certain card brands in an attempt to resolve certain of the claims asserted against our sponsor banks (who have asserted rights to indemnification from us pursuant to our agreements with them)
  3. expected costs of settling with certain claimants with whom settlement discussions are underway

During the same timeframe from the intrusion to the 10-Q results, the company lost 30% of its value relative to the Standard and Poor’s 500 Index, or roughly $300 million in shareholder value. Ultimately, the corporate reputation is tarnished at a cost more significant than the costs of the monetary loss and remediation combined.

Overall Impact of Attacks

It’s clear that the shift in Cybercriminal business models has provided an interim benefit from lower threat activity. Organizations are only partially able to appreciate the reduction in Cybercriminal activity, though, as their costs can encompass far more than financial loss. To estimate these total losses, Cisco SIO conducted primary research with 361 organizations located globally to understand their perspectives.

The organizational impacts of attacks can be categorized as follows:

  1. Financial
  2. Remediation
  3. Reputation

Financial: Financial loss directly to the Cybercriminals can range widely based on the specific attack; as a result, organizations cannot estimate the loss.

Remediation: The remediation costs of Spearphishing and targeted attacks are incurred by victim organizations. The administrative team must identify and remediate the compromised hosts; this can be challenging given the increasing use of surreptitious applications. Because of the complexity of current targeted attacks and the underlying malware, costs for remediation can be significant. Remediation costs include the time required to address the infected host and the corresponding opportunity cost of that time. With the organizations surveyed, Cisco observed that infected hosts take an average of two hours of dedicated effort to resolve. The cost basis of two hours of effort per resolution is specific to each organization, as is the corresponding opportunity cost of that time. Based on Cisco SIO research, organizations estimated that the direct remediation cost per infected user is $640, or 2.1 times that of the direct monetary loss.

Reputation: The negative reputation impact of attacks can be experienced over time by victim organizations and users. For example, building a brand typically takes years, but a negative event or news story, especially one that is highly visible, can quickly tarnish a company’s image. The direct impact can be a significant decline in business, sometimes even leading to the organization’s demise. Determining the true costs of adverse reputation impact can be challenging, as is estimating the value of an organization’s brand. Nevertheless, organizations have made it clear that adverse events can impact their reputation, which in turn can create a significant decline in business and shareholder value. Based on Cisco SIO research, organizations estimated that the reputation cost per infected user is $1,900, or 6.4 times that of the direct monetary loss.

Combined Impact: The overall costs of Spearphishing and targeted attacks to organizations are substantially more than their direct monetary loss to Cybercriminals.

While the costs can vary widely depending on the specific organization and attack, one point is clear: The overall costs to organizations can be significant. In addition, reputation management and remediation efforts can create a strain on the organization.

Cisco’s Conclusion to its research

The increased number of low volume targeted attacks has impacted users in many organizations, regardless of industry, geography and size. Their prevalence has caused both a related increase in criminal financial benefit and impact on victimized organizations. Organizations have to bear the burden of not only the monetary loss but also the cost of remediating infected hosts and the negative impact on their brand reputation. With the number of targeted attacks expected to increase, Cybercriminal activity will continue to evolve, as will its impact.

Download the report here.


Botnets: 10 Tough Questions downloadable research

European Network and Information Security Agency
Image via Wikipedia

 As part of the project Botnets: Detection, Measurement, Mitigation & Defence” a series of questions was discussed by internationally renowned experts in the field of botnets between September and November 2010.

This document presents a selection of the most interesting results. The document distills the major issues which need to be understood and addressed by decision-makers in all groups of stakeholders.

Editor: Dr. Giles Hogben
Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder

Download the document here

The European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EU’s response to security issues of the European Union. As such, it is the ‘pace-setter’ for Information Security in Europe.

The objective is to make ENISA’s web site the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security. This web site is an access point to the EU Member States and other actors in this field.

Create a free website or blog at

Up ↑

%d bloggers like this: