In-Depth
Spearphishing on the Rise
Attackers are reducing traditional mass-spam phishing campaigns in favor of targeted or spearphishing attacks.
Why phish with a torn and gaping net when you can phish more effectively (and haul in bigger and more lucrative catches) with a spear?
That's one upshot of a new report from Cisco Systems Inc.'s Security Intelligence Operations (SIO). According to the Cisco report, attackers are turning away from mass-spam phishing attacks -- i.e., phishing with a torn and gaping but huge net -- in favor of targeted or spearphishing attacks.
"With [e-mail] remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations," says the SIO report. Follow the money, say Cisco researchers, and you'll find out where the real cracking action is. "The annualized cybercrime business activity caused by mass, indiscriminate [e-mail] attacks has declined by more than half. At the same time, the business activity caused by highly-personalized targeted attacks is growing rapidly, tripling in the last year."
Last year, for example, mass-spam attacks generated almost $1 billion in cyber-criminal revenues; 12 months later, they're accounting for just $300 million. One reason for this drop, say Cisco researchers, is that targeted phishing hauls are far more successful: a typical mass attack that targets one million users might result in eight successful victimizations, the Cisco report indicates; a spearphishing campaign targeting one thousand users might result in two successful victimizations.
One quarter as many, to be sure -- but at 1/1000th the number of e-mail messages.
"Targeted attacks typically hold much higher retention throughout the [spam] pipeline, as the [e-mail] and [Web site] link are sent to valid users and appear legitimate to security engines and recipients," the report explains. "While the volumes are low, the conversion rates of targeted attacks are much higher."
Targeted attacks are considerably more lucrative than their mass-spamming counterparts, too. The average value per victim comes in at about $80,000 for targeted attacks versus $16,000 for mass-spam attacks. Using the example above, that translates into $160,000 for two successful targeted attacks -- and $80,000 for five successful mass spam efforts.
Targeting isn't a money-for-nothing goldmine, however: its success is precisely a function of its methods, which require more time and knowledge to exploit than do money-for-nothing -- but comparatively ineffective -- mass-phishing attacks. Spear attacks use only valid e-mail addresses; masquerade as legitimate messages, frequently from known (or notionally knowable) contacts; feature content tailored to the responsibilities or interests of their recipients; and bundle "higher-quality and typically not-yet-discovered malware," according to Cisco. In addition, attackers are increasingly using new Web sites -- in notionally "clean" netblocks -- that are once again customized for individual targets.
"This is criminal Darwinism at work: Cybercriminals are adapting their campaigns to increase their staying power," the report notes.
Cisco researchers differentiate between targeted attacks -- which are aimed at individuals and are typically concerned with intellectual property (IP) theft -- and spearphishing attacks, which tend to target groups and are concerned with financial gain.
"While potentially similar in structure, the major differentiator of targeted attacks relative to spearphishing attacks is the focus on the victim. A targeted attack is directed toward a specific user or group of users whereas a spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank.
"Targeted attackers often build a dossier of sorts on intended victims -- gleaning information from social networks, press releases, and public company correspondence. While spearphishing attacks may contain some personalized information, a targeted attack may contain a great deal of information which is highly personalized and generally of unique interest to the intended target."
Stuxnet, Cisco says, is a classic example of a targeted attack.