Targeted Attacks 10 Times More Profitable Than Mass Campaigns

It costs cybercriminals five times as much to pull off a targeted attack than a mass attack, but a targeted attack yields 10 times the profit, according to data in a report published by Cisco Systems today.

New research from Cisco's Security Intelligence Operations (SIO) illustrates a dramatic rise in targeted attacks and the corresponding decline of wide-net, mass attacks: While there have been half the number of mass email-borne attacks this year than last, targeted, personalized attacks have tripled in the past year. The bad guys made more than $1 billion a year ago via mass email-borne attacks, and about $500 million as of June 2011.

The amount of spam has declined significantly: In June 2010, there were 300 billion spam messages delivered per day, versus 40 billion per day as of June 2011. Even so, email accounts for more than 50 percent of cybercrime activity.

Patrick Peterson, a Cisco fellow, says Cisco calculated its data in the "Email Attacks: This Time It's Personal" report from customer surveys and data gathered from Cisco products, as well as qualitative interviews with customers. Why the abrupt drop in spam and volume-type attacks? "Botnet decapitation," Peterson says. "They've been shut down, taken offline, and disrupted."

For every dollar lost by a victim organization, it costs $2.10 for remediation and $6.40 for what Cisco calls "reputation repair," including PR to handle the fallout of a breach. "Criminals have come a long way in targeted attacks, and we don't see that changing," Peterson says. "It impacts the business dramatically."

Targeted attacks cost organizations worldwide $1.29 billion, according to Cisco.

Cisco provided an example estimate of the cost and profit of a mass phishing attack versus a spear-phishing attack to demonstrate how a targeted attack is more lucrative for the bad guys. Say a mass attack sends about 1 million messages in a campaign, while a spear-phishing attack sends 1,000. Some 70 percent of the spear-phishing victims open their messages, while about 3 percent do so in the mass attacks; half of spear-phishing targets "click through" their messages, while the click-through rate for mass attacks is about 5 percent, according to Cisco.

A targeted attack would cost about $10,000 for a cybercriminal to pull off, versus a mass attack that costs the bad guy about $2,000.

Mass-attack victims are worth about $2,000 a head, while targeted ones are valued at $80,000 each, Cisco says. The mass campaign nets eight victims, while the targeted one successfully dupes two, so in the end the targeted attack returns a $150,000 profit, versus $14,000 for the mass attack.

But the cost per targeted attack is a difficult number to quantify, especially if it includes an expensive zero-day exploit, says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "Some of the targeted attacks come equipped with a zero-day exploit, and depending on what it is, some zero-day exploits can cost more than $20,000 to procure on the black market, so the $10,000 figure feels a little low to me," Wang says.

According to Cisco, there were three times as many spear-phishing attacks this year than last, and four times as many scams and malicious attacks.

"Personalized and targeted attacks that focus on gaining access to more lucrative corporate bank accounts and valuable intellectual property are on the rise. Law enforcement efforts are making mass spam attacks less appealing to cybercriminals, who are thus spending more time and effort focusing on different types of spear phishing and targeted attacks," says Nick Edwards, director of Cisco’s security technology business unit.

The data for the study came from hundreds of IT professionals across 50 countries, as well as from Cisco's SIO, which gathers feeds from Cisco email, Web, firewall, and IPS products. A full copy of the Cisco report is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.