Friday, July 1, 2011

Spam Profits Down, Cybercrooks Flock to Targeted Attacks

Via -

A new report from Cisco Systems Inc. analyzing illegal activities from spammers and other online scams suggests that cyber criminals are abandoning large spam runs and indiscriminate attacks in search of higher profits doing targeted hacks.

The findings of the report, released at a press and analyst event on Thursday, suggest a precipitous drop in revenue generated by mass spam- and phishing attacks of the last five years, and a shift to lower volume, but more profitable targeted attacks, according to the report.

Cisco estimated that worldwide revenue from high volume spamming has decreased by more than two thirds since last year, from $1 billion a year ago to just $300 million today. During the same period, revenue from scams and other malicious attacks has quadrupled from $50 million to around $200 million, the company reported.


Targeted attacks are a subset of spam and share many characteristics with mass spam runs, including the use of e-mail messages containing malicious file attachments or Web links. However, targeted attacks rely on extensive planning and research on the likely recipients of the e-mail. Time is taken to craft e-mail messages that seem to be from legitimate sources and directed to the recipient.

Targeted spam runs are far smaller than mass spam runs, but have similar block rates. The key difference is a far higher conversion rate among the few users who end up seeing the targeted e-mails. Fully 70% of those who see a targeted e-mail message opened it, Cisco data suggests, and 50% of those clicked through to the malicious Web page or attachment and were "converted."

The average value per victim, for attackers, can be 40 times that of a mass attack and the profit from a spearphishing campaign can be 10 times that of a high volume spam run, Cisco said.


In the current security landscape and marketing hype, it can be difficult to remember not every attack is an APT, even if that attack is very well planned, executed and has the objective of obtaining data to facilitate or improve future cybercrime / fraud.

A quote on targeted attacks from McAfee's 2011 Threat Predictions whitepaper (PDF)..
"Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT."
So why would standard cybercriminals want to improve their attacks? The same reason anyone wants to improve a process - to do it cheap and to make it more profitable. The new Cisco report above shows just how profitable a little improvement can be for the bad guys.

So how are they improving? By going for quality over quantity and improving the social engineering aspects of their attacks with better aim - increasing the likelihood that the victim will bite the bait.

In Nov 2010, Return Path Inc. issued a warning to their ESP (Email Service Provider) partners...
Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.

The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.


This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.

What better to improve than stealing the customer mailing list for Company X, spending a small amount of time crafting a fake e-mail from Company X and then sending it specifically to their customers, which are already expecting an e-mail from Company X? Brilliant!

It's spear-phishing (or spear-spamming) by group, as opposed to by individual. The attacker could use take it one step further, depending on the stolen o loytaly btained...and include each person's first and last name....perhaps part of their loyalty number.

The better the information obtained before the attack (e.g. intelligence), the more targeted the attack can be...and thus more effective (and profitable). It's simple economics.

No comments:

Post a Comment