Welcome Guest. | Log In | Register | Membership Benefits

Targeted Attacks 10 Times More Profitable Than Mass Campaigns

New Cisco report finds it costs five times as much for a cybercriminal to execute a targeted attack, but it pays much more than a mass attack

Jun 30, 2011 | 04:41 PM | 

By Kelly Jackson Higgins
Dark Reading
It costs cybercriminals five times as much to pull off a targeted attack than a mass attack, but a targeted attack yields 10 times the profit, according to data in a report published by Cisco Systems today.

New research from Cisco's Security Intelligence Operations (SIO) illustrates a dramatic rise in targeted attacks and the corresponding decline of wide-net, mass attacks: While there have been half the number of mass email-borne attacks this year than last, targeted, personalized attacks have tripled in the past year. The bad guys made more than $1 billion a year ago via mass email-borne attacks, and about $500 million as of June 2011.

The amount of spam has declined significantly: In June 2010, there were 300 billion spam messages delivered per day, versus 40 billion per day as of June 2011. Even so, email accounts for more than 50 percent of cybercrime activity.

Patrick Peterson, a Cisco fellow, says Cisco calculated its data in the "Email Attacks: This Time It's Personal" report from customer surveys and data gathered from Cisco products, as well as qualitative interviews with customers. Why the abrupt drop in spam and volume-type attacks? "Botnet decapitation," Peterson says. "They've been shut down, taken offline, and disrupted."

For every dollar lost by a victim organization, it costs $2.10 for remediation and $6.40 for what Cisco calls "reputation repair," including PR to handle the fallout of a breach. "Criminals have come a long way in targeted attacks, and we don't see that changing," Peterson says. "It impacts the business dramatically."

Targeted attacks cost organizations worldwide $1.29 billion, according to Cisco.

Cisco provided an example estimate of the cost and profit of a mass phishing attack versus a spear-phishing attack to demonstrate how a targeted attack is more lucrative for the bad guys. Say a mass attack sends about 1 million messages in a campaign, while a spear-phishing attack sends 1,000. Some 70 percent of the spear-phishing victims open their messages, while about 3 percent do so in the mass attacks; half of spear-phishing targets "click through" their messages, while the click-through rate for mass attacks is about 5 percent, according to Cisco.

A targeted attack would cost about $10,000 for a cybercriminal to pull off, versus a mass attack that costs the bad guy about $2,000.

Mass-attack victims are worth about $2,000 a head, while targeted ones are valued at $80,000 each, Cisco says. The mass campaign nets eight victims, while the targeted one successfully dupes two, so in the end the targeted attack returns a $150,000 profit, versus $14,000 for the mass attack.

But the cost per targeted attack is a difficult number to quantify, especially if it includes an expensive zero-day exploit, says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "Some of the targeted attacks come equipped with a zero-day exploit, and depending on what it is, some zero-day exploits can cost more than $20,000 to procure on the black market, so the $10,000 figure feels a little low to me," Wang says.

According to Cisco, there were three times as many spear-phishing attacks this year than last, and four times as many scams and malicious attacks.

"Personalized and targeted attacks that focus on gaining access to more lucrative corporate bank accounts and valuable intellectual property are on the rise. Law enforcement efforts are making mass spam attacks less appealing to cybercriminals, who are thus spending more time and effort focusing on different types of spear phishing and targeted attacks," says Nick Edwards, director of Cisco’s security technology business unit.

The data for the study came from hundreds of IT professionals across 50 countries, as well as from Cisco's SIO, which gathers feeds from Cisco email, Web, firewall, and IPS products. A full copy of the Cisco report is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Advanced Threats Reports

report How Did They Get In? A Guide to Tracking Down The Source of an APT
If you think that your organization hasn't been affected by an advanced persistent threat, you probably haven't looked hard enough. Identifying that your organization is under attack is difficult enough; determining the scope of infiltration and damage presents a whole new level of challenge. To effectively protect against APTs, security pros will need to employ an arsenal of tools in a coordinated fashion, as well as develop new understandings of and approaches to system and data exploits. Here's a short and simple guide to this challenge.

report Detecting and Defending Against Advanced Persistent Threats
APTs are a growing problem for enterprises big and small. Protecting your organization from these targeted threats requires constant vigilance, ongoing employee training and a concerted effort to align security systems to address every phase of an APT. Companies also need to develop a remediation and response plan if, despite best efforts, defenses are breached.

report Smarter, Stealthier, Sneakier Malware
Increasingly sophisticated and targeted attacks are making it more difficult for organizations to detect and defend against the latest malware. In this compendium of recent coverage from Dark Reading, you?ll get a look at some of the newest -- and most dangerous -- malware on the Web, and what you can do to stop it.

Other reports from the Advanced Threats Tech Center:

Related Content

MOBILE SECURITY - Mapping an Ecosystem of Risk
This white paper highlights the various considerations for defending mobile applications-from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.

Software Security Delivered in the Cloud
This Solution Guide details the automated, turnkey service that requires no special security assessment expertise. It details HP's market-leading static and dynamic analysis technologies that help organizations worldwide gain insight into the security state of their essential business applications.

SANS Mobility/BYOD Security Survey
This survey, which includes input from more than 500 IT professionals, explores how organizations are managing risk around their end user mobile devices as well as what level of policies and controls enterprises have around mobile usage.

Expert Guide to Application Security - Real-time Hybrid Analysis
Explore the next generation of hybrid security analysis - what it is, how it works, and its benefits. This white paper details how hybrid application security enables organizations to resolve critical software security issues faster and at a lower cost than any other available technology.

A Mainstay Partners Study: Does Application Security Pay?
Measuring the Business Impact of Software Security Assurance Solutions: a study of 17 organizations that implemented solutions from Fortify Software, combining industry research and benchmark analysis to identify, qualify, and quantify the full range of benefits seen from their SSA investments.




Featured Webcasts
Featured Whitepapers
Featured Reports