Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Spearphishing

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

Workers Ignoring Known Cyber Risks, Surfing Adult Content and Downloading Unapproved Apps

Blue Coat Systems global survey of 1580 respondents across 11 countries highlights a global trend of employees ignoring cyber risks while at work. Results from the survey found that universally, workers visit inappropriate websites while at work despite typically being fully aware of the risks to their companies.

Blue Coat’s research, conducted by independent research firm Vanson Bourne, found the actions of employees at odds with their awareness of the growing cyber threats facing the workplace. In addition, this risky behaviour can leave both sensitive corporate and personal data open to being stolen and used immediately, stored for future use, or sold into a thriving black market where compromised corporate and personal identities are traded globally.

One source of cyber threats is the practice of phishing. Cyber criminals continuously conduct extensive research on employees’ social profiles to find information that can be used to attack organizations. For example, an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient’s alma mater or favourite sports team. That email may contain malware that is downloaded once the recipient clicks on a link included in the document.

Pornography continues to be one of the most popular methods of hiding malware or malicious content. Even though awareness is high of the threat posed by adult content sites, workers are still visiting these potentially dangerous sites.

The Blue Coat survey found that at 19%, China has the worst record for viewing adult content sites on a work device, with Mexico (10%) and the UK (9%) not far behind. 

Survey Highlights

The majority of global survey participants admitted understanding the obvious cyber threats when downloading email attachments from an unknown sender, or using social media and unapproved apps from corporate networks without permission, but knowing this, did not curb their risk-taking.

Other findings include:

  • 65% of global respondents view using a new application without the IT department’s consent as a serious cyber-security risk to the business, 26% admitted doing so.
  • 37% of respondents in Singapore used new applications without IT’s permission, compared to 33% in the UK and 30% in India and Mexico. On the flip side, Australia and France were the lowest offenders at 14% and 16% respectively; however, any number puts businesses at risk.
  • Obvious behaviours such as opening emails from unverified senders still happen at work. 29% of Chinese employees open email attachments from unverified senders, even though 72% see it as a serious risk. US businesses view the threat even more seriously (80%) and open less unsolicited emails (17%).
  • 41% use social media sites for personal reasons at work, a serious risk to businesses, as cyber criminals hide malware on shortened links and exploit encrypted traffic to deliver payloads.
  • 6% of global respondents still admitted viewing adult content on work devices, China ranked as the worst offender with 19% employees admitting to viewing adult content at work, compared to Australia and Germany, both at 2%

While the majority of employees are aware of cyber security risks, in practice most still take chances,” said Dr. Hugh Thompson, CTO for Blue Coat. “The consumerization of IT and social media carry mixed blessings to enterprises. It is no longer realistic to prevent employees from using them, so businesses need to find ways to support these technology choices while simultaneously mitigating the security risks

RSA’s April Online Fraud Report 2013, with a focus on the changes in Phishing tactics

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online.

In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.

Another similar example is reflected in time-delayed attacks again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more making them more likely to check out a link they received via email that day.

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –Switching letters, as in bnak or bnk for “bank”, adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey” – Swapping visually similar letters

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.

RSA’s Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.

Phishing Attacks per Month

In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.

.

RSA’s March Online Fraud Report 2013, with a focus on Email and Identity takeover

RSA’s March 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user’s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an email address to authenticate their users’ identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts.

Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their email accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities.

Since email accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the email address is most often the username in the provider’s systems or databases. When it comes to bank accounts, the customer’s email is where communications and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. Email takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user’s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim.

Although some webmail providers use two-factor authentication for account password resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts.

Since email is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via email. Hence, if a cybercriminal is in control of the email account, they will also gain control over the user’s account with that merchant.

From there, the road to e-commerce fraud shortens considerably, either using that person’s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that person’s/business’ service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don’t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders.

Email account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with email account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with that person’s choice of financial services providers, bank account types, card statements (paperless reports delivered via email), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more.

How Risky Is Email Account Takeover? Email account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on eBay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access email, where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies.

RSA’s Summary

Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an email address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer email accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt.

Phishing Attacks per Month

In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide bank brands were the prime target for phishing campaigns, with 69% of total phishing attacks, while regional banks saw an 8% increase in phishing attacks in February.

Top Countries by Attack Volume

The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February.

Top Countries by Attacked Brands

In February, U.S brands were targeted by 30% of phishing volume, continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. Other top hosting countries in February included Canada, Russia, Brazil and Chile.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.

Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.

.

RSA’s January 2012 Online Fraud Report

Below is a summary of RSA’s Jnauary 2012 Online Fraud Report:-

PHISHING IS A NUMBERS GAME

In 2011, approximately one in every 300 emails circulating the web was deemed to contain elements pointing to phishing. Most phishing content targeted the public sector, which was followed by the SME business sector.

Compared with the total numbers of phishing attacks recorded in 2010, phishing numbers have increased considerably through the past year. The cumulative number of phishing attacks recorded through 2011 was 279,580—a 37% increase from 2010.

In 2011, phishing attacks also received better coverage around the globe, with brands targeted from 31 different geographies and phishing emails communicated in 16 different languages – reaching an even more diverse crowd of Internet users. The top countries in which the most brands were attacked include: the U.S., the UK, Australia, Canada, India, and Brazil.

CONCLUSION

Looking at the year in phishing, it is clear that phishing has become easier than ever before with more automated toolkits available. In fact, some cybercriminals are known to invest all their efforts into phishing attacks only. On average, every phishing attack yields a $4,500 profit in stolen funds for the fraudster, a number which keeps this work-from-home endeavor rather lucrative.

Attack numbers have been increasing annually, and although phishing is one of the oldest online scams, and user awareness is higher than ever, it seems that web users still fall for phishing, unknowingly parting with their credentials over convincing enough replicas of websites they have come to trust.

With the ease of production and the enhanced quality of today’s attacks, the forecasted outlook for 2012 calls for yet another year riddled with hundreds of thousands of phishing attacks worldwide. As the phenomenon continues to spread, it stands to reason that phishing will move on to even more geographies, target more brands and be spread in more languages in 2012.

Phishing Attacks per Month

In December, phishing volumes decreased 26 percent with 21,119 unique phishing attacks identified by RSA worldwide. The UK continued to be country most targeted by phishing attacks in December, suffering 50 percent of global volume while the U.S. continued to be the top hosting country – hosting 52 percent of the world’s phishing attacks in December.

Number of Brands Attacked

In December, 256 brands were targeted through phishing attacks, marking an 18 percent decrease from November. The number of new brands attacked for the first time decreased from 13 brands in November to six brands in December.

US Bank Types Attacked

Last month, the portion of brands targeted in the U.S. credit union sector decreased three percent as did the portion of brands targeted by phishing in the U.S. regional banks sector (decreasing seven percent). The portion of attacked brands representing U.S. nationwide banks increased ten percent from 76 percent to 86 percent. This represents the highest portion of brands in the U.S. nationwide banking sector targeted by phishing in the last year.

Top Countries by Attack Volume

The UK was the country most targeted by phishing once again in December – targeted by 50 percent of all attacks – for the fourth consecutive month. The U.S. was the second most targeted country with 28 percent of all phishing attacks.

Since this time last year, the top five countries that have endured the highest volume of phishing include the UK, the U.S., South Africa, Canada and Brazil. In terms of the languages used in phishing attacks, English is still the most dominant, followed by Portuguese, Spanish and Dutch.

Top Countries by Attacked Brands

Together, the U.S. and UK accounted for 43 percent of the world’s targeted brands, while the brands of 14 additional countries accounted for a total of 39 percent of phishing attacks in December.

Top Hosting Countries

In December, the US hosted 52 percent of the world’s phishing attacks, a nine percent decrease from November. Germany and Russia were the second top hosts with five percent of attacks. A surprising entrance came from Japan as a top host in December, accounting for four percent of attacks.

The RSA December Online Fraud Report Summary is here.

The RSA November Online Fraud Report Summary is here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

.

RSA’s November Online Fraud Report

Below is a summary of RSA’s November Online Fraud Report:-

The humble beginnings of phishing

The term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them. ‘Phishers’ used to go after compromised e-mail accounts in order to send out spam.

In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts.

Phishing became a fraudster’s gold rush.

Phishing Attacks per Month

In October, phishing volume dropped nearly 40 percent – from 38,970 attacks in September to 24,019 attacks. This decline was mainly due to a drastic reduction in the number of phishing attacks targeting brands that were heavily attacked in September.

Number of Brands Attacked

Last month, 298 brands were targeted with phishing attacks, marking just a slight drop from September. Eleven brands endured their first attack in October while 51 percent of the brands targeted last month endured less than five attacks each.

US Bank Types Attacked

The portion of brands targeted among U.S. credit unions increased eight percent while brands targeted among U.S. regional banks saw a 13 percent decrease in October (from 25% to 12%). However, U.S. nationwide bank brands continue to endure the highest number of attacks, accounting for nearly 75 percent in October.

Top Countries by Attack Volume

In October, the UK continued to be the country that endured the most phishing attacks, just slightly ahead of the U.S. by a mere one percent. South Africa endured eleven percent of the phishing volume in October, followed by Brazil and Canada.

Top Hosting Countries

In October, the US hosted 54 percent of the world’s phishing attacks, followed by Germany with seven percent and the UK with four percent. Since October 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the US, UK, Germany, France and Russia.

The full RSA Report can be found here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

.

RSA’S October Online Fraud Report

Below is a summary of RSA’s October Online Fraud Report.

October was Cyber Security Awareness Month. A public relations effort made by several US-based government bodies to increase security-literacy across the tiers that make up our digital society. By encouraging each and every Internet user to “Stop, Think, Connect,” the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) hope to increase security within the home, business environment, and ultimately within the entire nation. While this effort was founded in the U.S., its aspirations of increasing security literacy among the general public could easily be embraced across the globe.

Ironically, October also marks a major milestone for RSA, reaching the official shut down of over 500,000 phishing attacks around the globe. Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals.

RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in September increased by 45%, setting a new all-time high of 38,970 attacks. As in the month prior, this increase was largely attributed to repeated attacks on a handful of large financial institutions which have been heavily targeted throughout the past few months.

Number of Brands Attacked

The total number of brands attacked decreased 15%, dropping from 351 targeted brands in August to 300 brands in September. Last month, no new brands endured their first phishing attack, compared to seven newly-targeted brands in August. Monthly counts of newly-targeted brands last year hovered around 20 to 25 entities per month indicating a slowdown in the trend of attacks on new targets.

US Bank Types Attacked

In September, the portion of targeted brands among U.S. credit unions dropped from 19% to 6%. In contrast, the portion of targeted brands among regional U.S. banks increased 5%, while attacks against nationwide U.S. banks increased 8%. Nationwide banks continue to be the most lucrative target among phishers likely because their customer bases are large and geographically dispersed.

Top Hosting Countries

The U.S. hosted two out of three worldwide phishing attacks in September. Since September 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attack Volume

The U.S. and UK continue to remain the top two countries targeted by the highest volume of phishing attacks. In September, they endured 79% of the world’s phishing attacks. Brazil, Canada, and South Africa remained among the top five countries in September in terms of phishing attack volume.

Top Countries by Attacked Brands

U.S. and UK brands accounted for 43% of all the brands targeted worldwide by phishing in September.

The full report can be found here.

The RSA September Online Fraud Report Summary is here.

.

RSA’s September Online Fraud Report

At bit of a catch up on the excellent RSA Fraud Reports. The results from their September report are below.

At the bottom of the post is the August Report Summary link.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in August increased by 7%, setting a new all-time high of 26,907 attacks. This increase can be mostly attributed to repeated attacks on a number of large financial institutions which have been heavily targeted through the past few months.

Number of Brands Attacked

The total number of brands attacked increased 9% in August, climbing from 321 targeted brands in July to 351 brands in August. Last month, seven brands endured their first phishing attack. Last year, monthly counts of newly-targeted brands hovered around 20 to 25 per month, indicating a slowdown in the attack rate of new targets.

US Bank Types Attacked

The number of phishing attacks targeting U.S. credit unions in August nearly doubled, from 10% to 19%. The portion of attacked brands among the other two sectors decreased – regional U.S. banks decreased 3% and nationwide banks decreased 6%. August 2011 marked a two-year high for U.S. credit union brands being targeted since hitting the 24% mark in August 2009.

Top Countries by Attack Volume

The US and UK remained the top two countries most targeted by phishing in August, accounting for 73% of the world’s attacks. Brazil, Canada, and South Africa all remained in the top half.

Top Hosting Countries

The U.S. hosted 63% of all phishing attacks identified in August. The UK and Germany both accounted for hosting 4% of global phishing attacks followed by France, Canada, the Netherlands, Brazil, Russia, and Australia. In the last year, the countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attacked Brands

The top five countries whose brands were most targeted by phishing in August, the U.S., UK, Australia, India, and Canada – accounted for 60% of attacks. U.S.

The full report can be found here.

See the RSA August Report Summary here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: