Cisco Cisco Email Security Appliance C190 White Paper
2
Cisco Security White Paper
Email Attacks: This Time It’s Personal
June 2011. This reduction is consistent with low continued
user conversion rates and is partially offset by increases in
the average user spending on conversions.
This decline has been offset by a small subset of mass
attacks: scams and malicious attacks, which make up about
0.2 percent of total mass attacks and have been providing
greater cybercriminal benefit. By using more personalization
tools, the user conversion rates for the better-crafted scams
and malicious attacks have increased significantly in the
last year. In addition, the average user loss caused by the
malware or scam employed has increased because of the
information shared.
In estimating total losses (see Table 1), Cisco SIO used
the conservative estimate of US$250 per victimized user.
This amount is in line with the low-end estimate of recent
publicly disclosed scams and malicious attacks. For instance,
in June 2011, the U.S. Federal Bureau of Investigation (FBI)
announced a scam email directing recipients to send $350
to obtain a Clearance Certificate or else legal action would
be taken against the recipient. Using these estimates, scams
and malicious attacks (as a sub-category of mass attacks)
have grown from US$50 million to US$200 million over the
last year on an annualized basis.
user conversion rates and is partially offset by increases in
the average user spending on conversions.
This decline has been offset by a small subset of mass
attacks: scams and malicious attacks, which make up about
0.2 percent of total mass attacks and have been providing
greater cybercriminal benefit. By using more personalization
tools, the user conversion rates for the better-crafted scams
and malicious attacks have increased significantly in the
last year. In addition, the average user loss caused by the
malware or scam employed has increased because of the
information shared.
In estimating total losses (see Table 1), Cisco SIO used
the conservative estimate of US$250 per victimized user.
This amount is in line with the low-end estimate of recent
publicly disclosed scams and malicious attacks. For instance,
in June 2011, the U.S. Federal Bureau of Investigation (FBI)
announced a scam email directing recipients to send $350
to obtain a Clearance Certificate or else legal action would
be taken against the recipient. Using these estimates, scams
and malicious attacks (as a sub-category of mass attacks)
have grown from US$50 million to US$200 million over the
last year on an annualized basis.
Table 1: Cybercriminal Benefit from Mass Attacks
Starting in 2010 and continuing into 2011, the criminal
ecosystem has been changing dramatically. Law enforcement
authorities and security and industry organizations worldwide
have been collaborating to shut down or limit the largest
spam-sending botnets and their associates. SpamIt, a
large spam-sending affiliate network, ceased operations in
October 2010 after its database was leaked and Russian
police pressed charges against its owner. Major botnets
were severely curtailed or even shut down, including
Rustock, Bredolab, and Mega-D. By disrupting the financial
and technical business models of key cartels, threat volumes
have declined in favor of more lucrative activities.
Let’s look briefly at the differences in the conversion process
and business models of mass attacks and targeted attacks.
Historically, the spam conversion pipeline started with lists of
email addresses used by associated bots to deliver messages
(see Stage A in Figure 1). Upon receipt, anti-spam engines
correctly identify and block the vast majority of threat messages
(Stage B). The messages that make it past the spam filters
end up in the user’s mailbox as supposedly legitimate mes-
ecosystem has been changing dramatically. Law enforcement
authorities and security and industry organizations worldwide
have been collaborating to shut down or limit the largest
spam-sending botnets and their associates. SpamIt, a
large spam-sending affiliate network, ceased operations in
October 2010 after its database was leaked and Russian
police pressed charges against its owner. Major botnets
were severely curtailed or even shut down, including
Rustock, Bredolab, and Mega-D. By disrupting the financial
and technical business models of key cartels, threat volumes
have declined in favor of more lucrative activities.
Let’s look briefly at the differences in the conversion process
and business models of mass attacks and targeted attacks.
Historically, the spam conversion pipeline started with lists of
email addresses used by associated bots to deliver messages
(see Stage A in Figure 1). Upon receipt, anti-spam engines
correctly identify and block the vast majority of threat messages
(Stage B). The messages that make it past the spam filters
end up in the user’s mailbox as supposedly legitimate mes-
Executive Summary
Cybercriminal business models have recently shifted toward
low-volume targeted attacks. With email remaining the pri-
mary attack vector, these attacks are increasing in both their
frequency and their financial impact on targeted organizations.
Cisco Security Intelligence Operations’ (SIO) research find-
ings indicate that the annualized cybercrime business activity
caused by mass, indiscriminate email attacks has declined by
more than half. At the same time, the business activity caused
by highly-personalized targeted attacks is growing rapidly,
tripling in the last year. While the financial impact translates
to monetary loss and stolen credentials, organizations that
have been victimized by these attacks have to bear the cost
of remediating infected hosts and the negative impact on their
brand reputation.
The increasing prevalence of these attacks compounded by
trends toward mobility and uncontrolled endpoints, under-
scores the need for today’s organizations to implement a new
approach to security that leverages the network. While many
organizations train users to identify dangerous messages
and avoid clicking on URLs that might lead to compromised
websites or malware downloads, user education cannot
completely protect organizations from these threats. Instead,
organizations need a highly distributed security architecture
that manages enforcement elements such as firewalls, web
proxies, and intrusion-prevention sensors with a higher-level
policy language that is context-aware.
This paper examines attack trends and explores the impact
of these campaigns. The findings in this paper are based on
research Cisco has conducted with organizations worldwide
across a broad range of industries.
low-volume targeted attacks. With email remaining the pri-
mary attack vector, these attacks are increasing in both their
frequency and their financial impact on targeted organizations.
Cisco Security Intelligence Operations’ (SIO) research find-
ings indicate that the annualized cybercrime business activity
caused by mass, indiscriminate email attacks has declined by
more than half. At the same time, the business activity caused
by highly-personalized targeted attacks is growing rapidly,
tripling in the last year. While the financial impact translates
to monetary loss and stolen credentials, organizations that
have been victimized by these attacks have to bear the cost
of remediating infected hosts and the negative impact on their
brand reputation.
The increasing prevalence of these attacks compounded by
trends toward mobility and uncontrolled endpoints, under-
scores the need for today’s organizations to implement a new
approach to security that leverages the network. While many
organizations train users to identify dangerous messages
and avoid clicking on URLs that might lead to compromised
websites or malware downloads, user education cannot
completely protect organizations from these threats. Instead,
organizations need a highly distributed security architecture
that manages enforcement elements such as firewalls, web
proxies, and intrusion-prevention sensors with a higher-level
policy language that is context-aware.
This paper examines attack trends and explores the impact
of these campaigns. The findings in this paper are based on
research Cisco has conducted with organizations worldwide
across a broad range of industries.
The Business of Cybercrime:
The Role of Email
The shift in cybercrime business models has resulted in a
prominent change in threat activity over the last year. Fewer
mass attacks are launched, as evidenced by the 80 percent
reduction in overall spam volumes. Instead, cybercriminals
are focusing on higher-value endeavors, including increased
scams and malicious attacks, spearphishing attacks, and
targeted attacks.
prominent change in threat activity over the last year. Fewer
mass attacks are launched, as evidenced by the 80 percent
reduction in overall spam volumes. Instead, cybercriminals
are focusing on higher-value endeavors, including increased
scams and malicious attacks, spearphishing attacks, and
targeted attacks.
Reduction in Mass Attacks
With more cybercriminals moving toward the use of targeted
attacks, Cisco SIO estimates that the cybercriminal benefit
resulting from traditional mass email-based attacks has
declined more than 50 percent: from US$1.1 billion in June
2010 to $500 million in June 2011 on an annualized basis.
This change reflects a reduction in spam volume from 300
billion to 40 billion spam messages daily from June 2010 to
attacks, Cisco SIO estimates that the cybercriminal benefit
resulting from traditional mass email-based attacks has
declined more than 50 percent: from US$1.1 billion in June
2010 to $500 million in June 2011 on an annualized basis.
This change reflects a reduction in spam volume from 300
billion to 40 billion spam messages daily from June 2010 to
Cybercriminal Benefit (US$ million)
1 Year Ago Current
Spam Attacks
$1,000
$300
Scams and Malicious Attacks
$50
$200
TOTAL
$1,050
$500