1. Attacks against infrastructure are targeting significant resources across the Internet.
Malicious exploits are gaining access to web hosting servers, name servers, and data centers. This suggests the forming of überbots that seek high-reputation and resource-rich assets.
Buffer errors are a leading threat, at 21% of the Common Weakness Enumeration (CWE) threat categories.
Malware encounters are shifting toward electronics manufacturing and the agriculture and mining industries at about 6x the average encounter rate across industry verticals.
2. Malicious actors are using trusted applications to exploit gaps in perimeter security.
Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.
Java comprises 91% of web exploits; 76% of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version.
“Watering hole” attacks are targeting specific industry-related websites to deliver malware.
3. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites (100% of companies are calling malicious malware hosts).
Indicators of compromise suggest network penetrations may be undetected over long periods.
Threat alerts grew 14% year over year; new alerts (not updated alerts) are on the rise.
99% of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71%) with all forms of web-delivered malware.
RSA’s February 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.
Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA.
The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.
This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.
Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.
The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.
What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.
Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.
Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day.
Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading.
The most common ways of doing this are:
Switching letters, as in bnak or bnk for “bank”
Adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey”
Swapping visually similar letters
Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.
A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.
But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers
Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself.
This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.
Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there.
A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.
Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.
Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.
Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.
Phishing Attacks per Month In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.
Number of Brands Attacked
In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.
US Bank Types Attacked
U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.
Top Countries by Attack Volume
The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.
Top Countries by Attacked Brands
Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.
Top Hosting Countries
In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.
Previous 3 months of RSA Online Fraud Report Summaries:
The RSA January 2013 Online Fraud Report Summary here.
The RSA December 2012 Online Fraud Report Summary here.
The RSA November 2012 Online Fraud Report Summary here.
In their July Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.
Phishing attacks continue to increase around the world. In the first half of 2012, the RSA Anti-Fraud Command Center identified 195,487 unique phishing attacks, an increase of 19% as compared to the second half of 2011.
Global fraud losses down despite a 19% increase in phishing attacks
So why are fraud losses decreasing? One reason is that the industry is simply getting better at fighting back. A major factor in determining fraud losses caused by phishing is measuring the lifespan of an attack. The longer an attack is live, the more victims there are that are potentially exposed and at risk of having their credentials stolen. By reducing the lifespan of a phishing attack through early detection and shutdown, organizations narrow the window of opportunity for cybercriminals to commit fraud.
In the first half of 2012, the top ten countries that experienced the highest volume of phishing attacks include:
There have been major increases in phishing attack volume in some countries, while in other countries, it has declined slightly. One of the most significant increases was in Canada where phishing increased nearly 400% in the first half of 2012. There have been many observations as to why the sharp increase, but the main reason is simply economics, fraudsters follow the money. See my previous blog “Criminal logic; follow the money and find easy targets”. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become a lucrative target for cybercrime.
On the other hand, the U.S. experienced a 28% decline in phishing volume in the first half of the year. Other countries that have seen phishing volume decrease include Brazil, the Netherlands, Germany, Australia and South Africa.
Phishing Attacks per Month
In June 2012, phishing volume grew considerably. RSA identified 51,906 unique phishing attacks, a 37% increase. The recent spike in phishing volume can be partly attributed to the advanced technology and fraud services offered by cybercriminals in the underground including ready-made spam databases, custom coded malware designed to automate site hijacking and the hosting of malicious pages, as well as sophisticated spambot services.
Number of Brands Attacked
Despite the huge spike in phishing volume, the number of brands targeted by phishing attacks throughout the month of June decreased 13%.
US Bank Types Attacked
In the U.S. financial sector, nationwide bank brands saw a 16% increase in phishing volume in June while credit union brands saw a 10% decrease and regional bank brands saw a 6% decrease.
Top Countries by Attack Volume
The UK endured the largest volume of phishing attacks in June, despite seeing a drop of 21% in attack volume (from 63% to 42%). Canada was the country with the second largest volume of attacks, with a considerable increase from 3% to 29% in June. A surprising newcomer, Norway, experienced 2% of phishing volume.
Top Countries by Attacked Brands
The U.S., UK and Australia remain the three countries whose brands are most affected by phishing – targeted by 43% of phishing attacks in June. Brands in India, Brazil, Canada, Italy and China also remained heavily targeted by phishing in June.
Top Hosting Countries
The U.S. continues to be the country that hosts the most phishing attacks. In June, six out of every ten phishing attacks were hosted in the U.S. Russia and Poland – both newcomers to the Top Hosting Countries list – hosted 5% of attacks.
Previous RSA Online Fraud Report Summaries:
The RSA June 2012 Online Fraud Report Summary here.
The RSA April 2012 Online Fraud Report Summary here.
The RSA March 2012 Online Fraud Report Summary here.
The RSA February 2012 Online Fraud Report Summary here.
The RSA January 2012 Online Fraud Report Summary is here.
The RSA December 2011 Online Fraud Report Summary is here.
The RSA November 2011 Online Fraud Report Summary is here.
The RSA October 2011 Online Fraud Report Summary is here.
The RSA September 2011 Online Fraud Report Summary is here.
Symantec have released their June 2011 Intelligence Report. The Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011.
Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011)
Phishing – One in 330.6 emails identified as Phishing (a decrease of 0.05 percentage points since May 2011)
Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011)
Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011)
35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011):
20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011)
Review of Spam-sending botnets in June 2011
Clicking to Watch Videos Leads to Pharmacy Spam
Wiki for Everything, Even for Spam
Phishers Return for Tax Returns
Fake Donations Continue to Haunt Japan
Spam Subject Line Analysis
Best Practices for Enterprises and Users
In June 2011, the global ratio of spam in email traffic decreased by 2.9% points since May 2011 to 72.9% (1 in 1.37 emails).
As the global spam level declined in June 2011, Saudi Arabia became the most spammed geography, with a spam rate of 82.2%, overtaking Russia, which moved into second position.
In the US, 73.7% of email was spam and 72.0% in Canada. The spam level in the UK was 72.6%. In The Netherlands, spam accounted for 73.0% of email traffic, 71.8% inGermany, 71.9% in Denmark and 70.4% in Australia. In Hong Kong, 72.2% of email was blocked as spam and 71.2% in Singapore, compared with 69.2% in Japan. Spam accounted for 72.3% of email traffic in South Africa and 73.4% in Brazil.
Global Spam Categories
Spam Category Name
In June, Phishing activity decreased by 0.06 percentage points since May 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack
Phishing Sources: Country
South Africa remained the most targeted geography for Phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.
In the UK, phishing accounted for 1 in 130.2 emails. Phishing levels for the US were 1 in 1,270 and 1 in 207.7 for Canada. In Germany Phishing levels were 1 in 1,375, 1 in 2,043 in Denmark and 1 in 543.7 in The Netherlands. In Australia, Phishing activity accounted for 1 in 565.2 emails and 1 in 2,404 in Hong Kong; for Japan it was 1 in 11,179 and 1 in 2,456 for Singapore. In Brazil, 1 in 409.8 emails were blocked as Phishing attacks.
The Public Sector remained the most targeted by phishing activity in June, with 1 in 83.7 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 897.3 and 1 in 798.3 for the IT Services sector; 1 in 663.2 for Retail, 1 in 151.4 for Education and 1 in 160.8 for Finance.
The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333%) in June, a decrease of 0.117 percentage points since May 2011.
The UK remained the geography with the highest ratio of malicious emails in June, as one in 131.9 emails was blocked as malicious in June.
In the US, virus levels for email-borne malware were 1 in 805.2 and 1 in 297.7 for Canada. In Germany virus activity reached 1 in 721.0, 1 in 1,310 in Denmark and in The Netherlands 1 in 390.3. In Australia, 1 in 374.5 emails were malicious and 1 in 666.5 in Hong Kong; for Japan it was 1 in 2,114, compared with 1 in 946.7 in Singapore. In South Africa, 1 in 280.9 emails and 1 in 278.9 emails in Brazil contained malicious content. With 1 in 73.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in June. Virus levels for the Chemical & Pharmaceutical sector were 1 in 509.4 and 1 in 513.8 for the IT Services sector; 1 in 532.8 for Retail, 1 in 130.4 for Education and 1 in 182.3 for Finance.
Web-based Malware Threats
In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8% since May 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. The 70.8% rise marks a return to the highest rate since December 2010, as can be seen in the chart below; the rate had previously been diminishing during the first half of 2011.
As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 35.1% of all malicious domains blocked were new in June; a decrease of 1.7 percentage points compared with May 2011. Additionally, 20.3% of all Web-based malware blocked was new in June; a decrease of 4.3 percentage points since the previous month.
Endpoint Security Threats
The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.
In Symantec’s Intelligence Report: June 2011 they produced a Best Practice Guidelines for Enterprises wishing to improve their IT Security.
The details of the Best Practice Guide are below.
1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network.
2. Monitor for network threat, vulnerabilities and brand abuse. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious site reporting.
3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including:
Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints;
Browser protection for protection against obfuscated Web-based attacks;
Consider cloud-based malware prevention to provide proactive protection against unknown threats; o File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware;
Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware;
Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;
Device control settings that prevent and limit the types of USB devices to be used.
4. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization.
5. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites.DLP should be configured to identify and block suspicious copying or downloading of sensitive data.DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like encryption can be used to reduce the risk of loss.
6. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.
7. Update your security countermeasures frequently and rapidly: With more than 286M variants of malware detected by Symantec in 2010, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day.
8. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.
9. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords.
10. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments.
11. Ensure that you have infection and incident response procedures in place:
Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems;
Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;
Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems;
Isolate infected computers to prevent the risk of further infection within the organization;
If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied;
Perform a forensic analysis on any infected computers and restore those using trusted media.
12. Educate users on the changed threat landscape:
Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;
Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;
Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;
Be suspicious of search engine results and only click through to trusted sources when conducting searches, especially on topics that are hot in the media;
Deploy Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches;
Only download software (if allowed) from corporate shares or directly from the vendors Web site;
If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.
The Symantec Security Response web page can be found here.
Cisco Security Intelligence Operations’ (SIO) research has found that “Cybercriminal business models have recently shifted toward low volume targeted attacks. With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations”.
Cisco SIO estimates that the Cybercriminal benefit resulting from traditional mass email based attacks has declined more than 50 percent, from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.
This change reflects a reduction in spam volume from 300 billion to 40 billion spam messages daily from June 2010 to June 2011. This reduction is consistent with low continued user conversion rates and is partially offset by increases in the average user spending on conversions”.
This decline has been offset by a small subset of mass attacks: scams and malicious attacks, which make up about 0.2 percent of total mass attacks and have been providing greater cybercriminal benefit. By using more personalization tools, the user conversion rates for the better crafted scams and malicious attacks have increased significantly in the last year. In addition, the average user loss caused by the malware or scam employed has increased because of the information shared.
Cisco’s Attack Classifications
As Cybercriminal activity continues to evolve, the specific attacks and their impact to organizations also change.
Mass attacks have been the basis of threats since the first days of distributed networks. Self propagating worms, distributed denial of service (DDoS) attacks, and spam are some preferred methods for achieving financial gain or business disruption.
The criminal creates a common payload and places it in locations that victims might access, often inadvertently. Examples include infecting websites, exploiting security vulnerabilities in file formats such as PDFs, sending emails to make a purchase, and mass Phishing of banking credentials. Traditional anti-threat methods rely on several factors, including quickly identifying the threat when first reported or seen in the network and then blocking similar threats in the future. If criminals infiltrate the security layers far enough to reach their targets, they’ll achieve the desired result in sufficient quantities to make this business model lucrative. A significant segment of this type of attacks is the burgeoning number of scams and malicious attacks. As part of the evolution of the criminal ecosystem, these attacks are becoming highly focused. Regardless of the vector or delivery engine including short message service (SMS), email and social media, criminals are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position. Examples of these scams include:
SMS financial fraud scams to specific locales
Email campaigns that use URL shortening services
Social media scams, where the criminal befriends a user or group of users for financial gain
When only a few threats are sent, these strategies may be effective in reaching the victims, but may not always prove cost effective to the criminals. Yet, for reaching high value victims, this approach is increasingly being leveraged by smart, organized, and profit driven criminals. When criminals are specific about their victim profiles, these threats are referred to as Spearphishing attacks.
Spearphishing attacks are aimed at a specific profile of users, often high ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content. The Spearphishing email may appear to relate to some specific item of personal importance or a relevant matter at the company for instance, discussing payroll discrepancies or a legal matter. According to Cisco SIO research, more than 80 percent of Spearphishing attacks contain links to websites with malicious content. Yet, the linked websites are often specially crafted and previously unseen, making them complex to detect.
Cybercriminal Benefit (US$ million)
1 Year Ago
Scams and Malicious
Targeted attacks are highly customized threats directed at a specific user or group of users typically for intellectual property theft. These attacks are very low in volume and can be disguised by either known entities with unwitting compromised accounts or anonymity in specialized botnet distribution channels. Targeted attacks generally employ some form of malware and often use zero day exploits in order to gain initial entry to the system and to harvest desired data over a period of time. With these attacks, criminals often use multiple methods to reach the victim. Targeted attacks are difficult to protect against and have the potential to deliver the most potent negative impact to victims. While potentially similar in structure, the major differentiator of targeted attacks relative to Spearphishing attacks is the focus on the victim. A targeted attack is directed toward a specific user or group of users where as a Spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. Targeted attackers often build a dossier of sorts on intended victims gleaning information from social networks, press releases, and public company correspondence. While Spearphishing attacks may contain some personalized information, a targeted attack may contain a great deal of information which is highly personalized and generally of unique interest to the intended target.
A well publicized example of a targeted attack is the Stuxnet attack, a computer worm discovered in July 2010 which specifically targeted industrial software and equipment. Stuxnet exploited a vulnerability in the way that Windows handles shortcut files, allowing the worm to spread to new systems. The worm is believed to be purpose built to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. Stuxnet’s cleverness is in its ability to traverse non-networked systems, which means that even systems unconnected to networks or the Internet are at risk. Operators believed that a default Siemens password (which had been made public on the web some years earlier) could not be corrected by vendors without causing significant difficulty for customers. The SCADA system operators might have been laboring under a false sense of security since their systems were not connected to the Public Internet, they might have believed they would not be prone to infection.
Federal News Radio’s website called Stuxnet “the smartest malware ever.” In January 2011, Cisco SIO detected a targeted attack message sent to senior executives at a large corporation. This campaign was sophisticated, in that it used previously unseen resources. The message was sent by an unknown party through a legitimate but compromised server in Australia. The email message was seemingly legitimate. The embedded action URL was hosted on a legitimate but compromised law blog. When clicked, the user’s browser was directed to a previously unknown copy of the Phoenix exploit kit. After the exploit was successful, it installed the Zeus Trojan on the victim’s computer.
Economics of Attacks
The economics of a typical campaign underscore the difference between mass and targeted attack business models.
For an individual campaign, the economics of a Spearphishing attack can be more compelling than for a mass attack. The costs are significantly higher, but so too are the yield and benefit. Cisco SIO estimates the costs of a Spearphishing attack at five times the cost of a mass attack, given the quality of the list acquisition, botnet leased, email generation tools, malware purchased, website created, campaign administration tools, order processing back-end infrastructure, fulfillment providers, and user background research activity required. This significantly higher cost basis and greater effort requires highly specialized skills. It also requires higher yields to be effective.
Cybercriminals are balancing competing priorities: Infect more users or keep the attack small enough to fly under security vendors’ radar? Spearphishing attack campaigns are limited in volume but offer higher user open and click through rates. With these constraints, Cybercriminals are increasingly focusing on business users with access to corporate banking accounts, to make sure they’re seeing sufficient return per infection. This is why the average value per victim can be 40 times that of a mass attack. Ultimately, this approach is justified:
“Profit from a single Spearphishing attack campaign can be more than 10 times that of a mass attack”
The potential returns are causing a shift in Cybercriminal business models. Presently, the opportunity cost of spamming may not be worth the rate of return due to increases in both anti-spam efficacy and user awareness. Instead, Cybercriminals are focusing more time and effort on different types of targeted attacks, often with the goal of gaining access to more lucrative corporate and personal bank accounts and valuable intellectual property.
To make their attacks more personalized, some Cybercriminals have focused on infiltrating email marketing vendors, since they have valid names, email addresses, and other attributes. When used in scams and malicious attacks, whether on a mass scale or in Spearphishing attacks this personal information increases the likelihood of users opening an attack email. The correlation of lower mass spam with recent data breaches is interesting, but the real takeaway is that attacks are becoming more personalized.
Impact of Personalized Attacks
Spearphishing attacks, though lower in volume relative to other types of threats, have serious consequences for today’s enterprises. The majority of Spearphishing attacks ultimately lead to financial loss, making them incredibly dangerous to victims and incredibly valuable to Cybercriminals. Spearphishing uses customization methods superior than those used in mass scams and malicious attacks, resulting in significantly higher user open and conversion rates. These success factors have made Spearphishing attack infections more effective, and hence more commonplace, which is corroborated by Federal Trade Commission estimates of 9 million Americans having their identities stolen each year.
The value per victim in Spearphishing attacks can vary substantially, with the mean and median values being quite high. For example, according to primary consumer research conducted by Javelin Strategy & Research, the mean identity fraud amount per victim was $4,607 in 2010. If we use a conservative estimate of user loss, $400, the total Cybercriminal benefit resulting from Spearphishing attacks amounts to $150 million in June 2010 on an annualized basis. This figure has tripled from $50 million a year ago; it is expected to continue increasing in the coming months as Cybercriminal activity returns to its prior business levels.
Impact of Targeted Attacks
The malicious nature of targeted attacks causes them to be very expensive to society in general and to individual organizations specifically. The cybercriminal benefit from a targeted attack, while substantial, is not easy to estimate because it is highly variable, based on the specific victim and intellectual property compromised. However, the cybercriminal benefit is a subset of the overall cost to the victim organization, which also depends heavily on the organization’s reputation and status. The organizational costs resulting from targeted attacks can vary. According to the FBI, these costs can range from thousands to hundreds of millions USD.
Similarly, the Ponemon Institute has estimated the potential cost per organizational data breach to range anywhere from US$1 million to US$58 million. As an example, a large gaming platform provider reported that the unauthorized access to its network that occurred in Q2 of 2011 has resulted in currently known associated costs of approximately US$172 million. Costs include personal information theft protection programs, insurance to cover identity theft losses, costs of “welcome back” programs, customer support costs, network security enhancement costs, legal and expert costs, and the impact on profits due to possible future revenue decreases.
In another example, a public payments processor company experienced a data breach resulting in millions of compromised user account credentials. A year later, the company reported related expenses totaling US$105 million. As per their 10-QSEC filing, “The majority of these charges, or approximately $90.8 million, related to:
assessments imposed by MasterCard and VISA against us and our sponsor banks
settlement offers we made to certain card brands in an attempt to resolve certain of the claims asserted against our sponsor banks (who have asserted rights to indemnification from us pursuant to our agreements with them)
expected costs of settling with certain claimants with whom settlement discussions are underway
During the same timeframe from the intrusion to the 10-Q results, the company lost 30% of its value relative to the Standard and Poor’s 500 Index, or roughly $300 million in shareholder value. Ultimately, the corporate reputation is tarnished at a cost more significant than the costs of the monetary loss and remediation combined.
Overall Impact of Attacks
It’s clear that the shift in Cybercriminal business models has provided an interim benefit from lower threat activity. Organizations are only partially able to appreciate the reduction in Cybercriminal activity, though, as their costs can encompass far more than financial loss. To estimate these total losses, Cisco SIO conducted primary research with 361 organizations located globally to understand their perspectives.
The organizational impacts of attacks can be categorized as follows:
Financial: Financial loss directly to the Cybercriminals can range widely based on the specific attack; as a result, organizations cannot estimate the loss.
Remediation: The remediation costs of Spearphishing and targeted attacks are incurred by victim organizations. The administrative team must identify and remediate the compromised hosts; this can be challenging given the increasing use of surreptitious applications. Because of the complexity of current targeted attacks and the underlying malware, costs for remediation can be significant. Remediation costs include the time required to address the infected host and the corresponding opportunity cost of that time. With the organizations surveyed, Cisco observed that infected hosts take an average of two hours of dedicated effort to resolve. The cost basis of two hours of effort per resolution is specific to each organization, as is the corresponding opportunity cost of that time. Based on Cisco SIO research, organizations estimated that the direct remediation cost per infected user is $640, or 2.1 times that of the direct monetary loss.
Reputation: The negative reputation impact of attacks can be experienced over time by victim organizations and users. For example, building a brand typically takes years, but a negative event or news story, especially one that is highly visible, can quickly tarnish a company’s image. The direct impact can be a significant decline in business, sometimes even leading to the organization’s demise. Determining the true costs of adverse reputation impact can be challenging, as is estimating the value of an organization’s brand. Nevertheless, organizations have made it clear that adverse events can impact their reputation, which in turn can create a significant decline in business and shareholder value. Based on Cisco SIO research, organizations estimated that the reputation cost per infected user is $1,900, or 6.4 times that of the direct monetary loss.
Combined Impact: The overall costs of Spearphishing and targeted attacks to organizations are substantially more than their direct monetary loss to Cybercriminals.
While the costs can vary widely depending on the specific organization and attack, one point is clear: The overall costs to organizations can be significant. In addition, reputation management and remediation efforts can create a strain on the organization.
Cisco’s Conclusion to its research
The increased number of low volume targeted attacks has impacted users in many organizations, regardless of industry, geography and size. Their prevalence has caused both a related increase in criminal financial benefit and impact on victimized organizations. Organizations have to bear the burden of not only the monetary loss but also the cost of remediating infected hosts and the negative impact on their brand reputation. With the number of targeted attacks expected to increase, Cybercriminal activity will continue to evolve, as will its impact.
On the 1st April 2011 Epsilon reported on their website “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”
Whilst there is no immediate financial risk to those individuals who have had their name and email address stolen there is the risk of their information being used for Spam and phishing attacks.
Epsilon is one of the world’s largest “provider of multi-channel marketing services” and claims to have 2,500 clients, including 7 of the Fortune 10. These clients in the words of Epsilon “trust Epsilon to build and host their customer databases”.
It is expected that Epsilon’s clients will issue warnings about the lose of data. This in itself will be part of the problem, because as businesses seek to protect their reputations they will become spammers by sending unwanted emails.
The there is the potential for the hackers to introduce phishing attacks disguised as the legitimate business trying to protect their brand, for example, “sorry we lost your information, can you please update your details here…”