As a result of this shift, the overall cost of targeted attacks to organizations worldwide has reached $1.29 billion annually, according to Cisco's new report Email Attacks: This Time It’s Personal. The report is based on a survey of 361 IT professionals from 50 countries conducted by Cisco Security Intelligence Operations.
Spearphishing attacks have increased threefold, while scams and malicious attacks have increased fourfold. In addition, for every $1 lost due to spearphishing and targeted attacks, an organization spends $2.10 for remediation and $6.40 for reputation repair, according to Cisco.
At the same time, profits from mass spam attacks have declined by more than 50%, from $1.1 billion in June 2010 to $500 million in June 2011. Spam volumes have dropped from 300 billion per day to 40 billion per day over the same time period.
“This report tries to lay out a convincing argument for what we believe to be a true tipping point in the nature of attacks….Criminal profits have migrated from mass attacks…to targeted attacks”, said Patrick Peterson, chief security researcher at Cisco.
Peterson attributed the fall off in profits from mass spam attacks to the shutting down and disruption of botnets.
“Targeted and spearphishing attacks have not only gone up in volume, but the harm they do has gone up tremendously”, Peterson told a June 30 web conference.
The success of targeted attacks relies on technical holes and misplaced trust. Very low in volume, targeted attacks focus on a specific individual or group under cover of anonymity provided by specialized botnet distribution channels, the report said.
Typically, targeted attacks rely on malware or advanced persistent threats to collect the targeted data over a period of time. An example of a targeted attack is the Stuxnet worm, which has the potential to disrupt industrial computing systems and could traverse non-networked systems, the report observed.
Spearphishing attacks, though more costly to mount and lower in volume than mass spam attacks, also pose serious risks for companies, the report noted. Spearphishing attacks often lead to financial theft, making them both dangerous to victims and valuable to cybercriminals. Spearphishing campaigns, which are a highly customized evolution of the traditional mass attack technique of phishing, can net 10 times the profit of a mass attack, Cisco said.
“The criminal motivation and economics are moving from mass phishing to spearphishing....[which] takes more work, more set up costs, and more specialization. That larger investment can also be much more lucrative”, Peterson said.