Why spear phishing? Cyber crooks are all about the ROI.
Recent research by Cisco indicates that it is getting more difficult to make a dishonest dollar from spamming. Spam volumes have plummeted over the last year, as cyber criminals abandon mass e-mailings for more targeted — and more profitable — attacks.
The drop in spam is good news as far as it goes, but it’s hard to get too excited about it. Another report from Symantec says that yes, spam volumes are dropping, down 2.9 percentage points in June from May, but spam still accounted for 73 percent of all e-mail.
Overall, this is like a lifeguard telling a swimmer floundering in the deep end that water is being drained from the pool: The good news is that the water now is only six feet over his head instead of eight; the bad news is that there are now sharks in the water.
The top cyber threats of 2011, so far
“Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically,” according to the report from Cisco Security Intelligence Operations. Research showed that the value of cyber crime from mass-spamming had dropped, on an annual basis, from an estimated $1 billion in June 2010 to about $500 million by June 2011. Spam dropped from 300 billion messages a day in June 2010 to “only” 40 billion a day one year later.
Both Cisco and Symantec attribute the drop in volume to improved cooperation between law enforcement in different countries and the security industry to shut down or hobble leading spam-spewing botnets. These successes are only half of the story, however.
“This does not mean that spammers are dead,” Symantec said it its Intelligence report for June. Spam still dominates the e-mail landscape, as spammers adjust their techniques, using more targeted spear-phishing attacks.
“By using more personalization tools, the user conversion rates for the better-crafted scams and malicious attacks have increased significantly in the last year,” Cisco’s report states. “In addition, the average user loss caused by the malware or scam employed has increased because of the information shared.”
Cisco analyzed the economics of phishing attacks, comparing mass-mailings with more targeted spear phishing. Interestingly, 99 percent of both kinds of attacks are identified and blocked by spam filters.
But the numbers diverge sharply for those that do get into the desktop: 70 percent of spear-phishing e-mails are opened, compared with just 3 percent of mass spam e-mails. And fully half of those who open spear-phishing e-mails click on enclosed links, 10 times the rate for mass mailings.
According the Cisco, although both kinds of attack generate only a handful of victims and the cost of spear-phishing attacks are 20 times greater per target than mass mailings, the payoff from spear phishing makes it worth the effort. The take per average spear-phishing victim is 40 times greater than mass-mailed victims. The overall yield for a spear-phishing campaign of 1,000 messages is 10 times than for a 1 million-message mass-mailing campaign.
And this does not take into account the value of highly targeted attacks that are crafted for high-value victims to breach enterprise defenses and gain access to intellectual property and other valuable information.
Given the return on investment possible from targeted attacks, it is a small wonder that the sheer volume of spam is declining. Given recent instances of hacking for fun, politics and profits, these figures offer small comfort.
Having harvested the low-hanging fruit, attackers now are moving on to more difficult but more profitable areas. The change might put a few of the bad guys out of business at least for the time being, but the threat landscape does not offer many signs of improvement.