Cisco Cisco Email Security Appliance X1050 Libro blanco
6
Cisco Security White Paper
Email Attacks: This Time It’s Personal
The potential returns are causing a shift in cybercriminal
business models. Presently, the opportunity cost of spamming
may not be worth the rate of return due to increases in both
anti-spam efficacy and user awareness. Instead, cyber-
criminals are focusing more time and effort on different types
of targeted attacks, often with the goal of gaining access to
more lucrative corporate and personal bank accounts and
valuable intellectual property.
To make their attacks more personalized, some cybercriminals
have focused on infiltrating email marketing vendors, since
they have valid names, email addresses, and other attributes.
When used in scams and malicious attacks—whether on a
mass scale or in spearphishing attacks—this personal information
increases the likelihood of users opening an attack email.
The correlation of lower mass spam with recent data breaches
is interesting, but the real takeaway is that attacks are becoming
more personalized.
business models. Presently, the opportunity cost of spamming
may not be worth the rate of return due to increases in both
anti-spam efficacy and user awareness. Instead, cyber-
criminals are focusing more time and effort on different types
of targeted attacks, often with the goal of gaining access to
more lucrative corporate and personal bank accounts and
valuable intellectual property.
To make their attacks more personalized, some cybercriminals
have focused on infiltrating email marketing vendors, since
they have valid names, email addresses, and other attributes.
When used in scams and malicious attacks—whether on a
mass scale or in spearphishing attacks—this personal information
increases the likelihood of users opening an attack email.
The correlation of lower mass spam with recent data breaches
is interesting, but the real takeaway is that attacks are becoming
more personalized.
Impact of Personalized Attacks
Impact of Spearphishing Attacks
Spearphishing attacks, though lower in volume relative to
other types of threats, have serious consequences for today’s
enterprises. The majority of spearphishing attacks ultimately
lead to financial loss, making them incredibly dangerous to
victims and incredibly valuable to cybercriminals.
Spearphishing uses customization methods superior than
those used in mass scams and malicious attacks, resulting
in significantly higher user open and conversion rates. These
success factors have made spearphishing attack infections
more effective, and hence more commonplace, which is
corroborated by Federal Trade Commission estimates of
9 million Americans having their identities stolen each year.
The value per victim in spearphishing attacks can vary
substantially, with the mean and median values being quite
high. For example, according to primary consumer research
conducted by Javelin Strategy & Research, the mean identity
fraud amount per victim was $4,607 in 2010. If we use a
conservative estimate of user loss—$400—the total cyber-
criminal benefit resulting from spearphishing attacks amounts
to $150 million in June 2010 on an annualized basis (see
Table 4). This figure has tripled from $50 million a year ago; it
is expected to continue increasing in the coming months as
cybercriminal activity returns to its prior business levels.
other types of threats, have serious consequences for today’s
enterprises. The majority of spearphishing attacks ultimately
lead to financial loss, making them incredibly dangerous to
victims and incredibly valuable to cybercriminals.
Spearphishing uses customization methods superior than
those used in mass scams and malicious attacks, resulting
in significantly higher user open and conversion rates. These
success factors have made spearphishing attack infections
more effective, and hence more commonplace, which is
corroborated by Federal Trade Commission estimates of
9 million Americans having their identities stolen each year.
The value per victim in spearphishing attacks can vary
substantially, with the mean and median values being quite
high. For example, according to primary consumer research
conducted by Javelin Strategy & Research, the mean identity
fraud amount per victim was $4,607 in 2010. If we use a
conservative estimate of user loss—$400—the total cyber-
criminal benefit resulting from spearphishing attacks amounts
to $150 million in June 2010 on an annualized basis (see
Table 4). This figure has tripled from $50 million a year ago; it
is expected to continue increasing in the coming months as
cybercriminal activity returns to its prior business levels.
Impact of Targeted Attacks
The malicious nature of targeted attacks causes them to be
very expensive to society in general and to individual
organizations specifically. The cybercriminal benefit from a
targeted attack, while substantial, is not easy to estimate
because it is highly variable, based on the specific victim and
very expensive to society in general and to individual
organizations specifically. The cybercriminal benefit from a
targeted attack, while substantial, is not easy to estimate
because it is highly variable, based on the specific victim and
intellectual property compromised. However, the cybercriminal
benefit is a subset of the overall cost to the victim organization,
which also depends heavily on the organization’s reputation
and status.
The organizational costs resulting from targeted attacks
can vary. According to the FBI, these costs can range from
thousands to hundreds of millions USD. Similarly, the
Ponemon Institute has estimated the potential cost per
organizational data breach to range anywhere from US$1
million to US$58 million. As an example, a large gaming
platform provider reported that the unauthorized access to its
network that occurred in Q2 of 2011 has resulted in currently
known associated costs of approximately US$172 million.
Costs include personal information theft protection programs,
insurance to cover identity theft losses, costs of “welcome
back” programs, customer support costs, network security
enhancement costs, legal and expert costs, and the impact
on profits due to possible future revenue decreases.
In another example, a public payments processor company
experienced a data breach resulting in millions of
compromised user account credentials. A year later, the
company reported related expenses totaling US$105 million.
As per their 10-Q SEC filing, “The majority of these charges,
or approximately $90.8 million, related to: (i) assessments
imposed by MasterCard and VISA against us and our sponsor
banks, (ii) settlement offers we made to certain card brands
in an attempt to resolve certain of the claims asserted against
our sponsor banks (who have asserted rights to indemnifica-
tion from us pursuant to our agreements with them), and (iii)
expected costs of settling with certain claimants with whom
settlement discussions are underway.” During the same
timeframe from the intrusion to the 10-Q results, the company
lost 30% of its value relative to the Standard and Poor’s 500
Index, or roughly $300 million in shareholder value.
Ultimately, the corporate reputation is tarnished at a cost
more significant than the costs of the monetary loss and
remediation combined.
benefit is a subset of the overall cost to the victim organization,
which also depends heavily on the organization’s reputation
and status.
The organizational costs resulting from targeted attacks
can vary. According to the FBI, these costs can range from
thousands to hundreds of millions USD. Similarly, the
Ponemon Institute has estimated the potential cost per
organizational data breach to range anywhere from US$1
million to US$58 million. As an example, a large gaming
platform provider reported that the unauthorized access to its
network that occurred in Q2 of 2011 has resulted in currently
known associated costs of approximately US$172 million.
Costs include personal information theft protection programs,
insurance to cover identity theft losses, costs of “welcome
back” programs, customer support costs, network security
enhancement costs, legal and expert costs, and the impact
on profits due to possible future revenue decreases.
In another example, a public payments processor company
experienced a data breach resulting in millions of
compromised user account credentials. A year later, the
company reported related expenses totaling US$105 million.
As per their 10-Q SEC filing, “The majority of these charges,
or approximately $90.8 million, related to: (i) assessments
imposed by MasterCard and VISA against us and our sponsor
banks, (ii) settlement offers we made to certain card brands
in an attempt to resolve certain of the claims asserted against
our sponsor banks (who have asserted rights to indemnifica-
tion from us pursuant to our agreements with them), and (iii)
expected costs of settling with certain claimants with whom
settlement discussions are underway.” During the same
timeframe from the intrusion to the 10-Q results, the company
lost 30% of its value relative to the Standard and Poor’s 500
Index, or roughly $300 million in shareholder value.
Ultimately, the corporate reputation is tarnished at a cost
more significant than the costs of the monetary loss and
remediation combined.
Overall Impact of Attacks
Table 4 aggregates these estimates and shows the the
annual total monetary benefit to cybercriminals for different
types of attacks.
annual total monetary benefit to cybercriminals for different
types of attacks.
Table 4: Total Annual Cybercriminal Monetary Benefit
Cybercriminal Benefit
(US$ million)
(US$ million)
1 Year Ago
Current
Mass Attacks
$1,050
$500
Spearphishing Attacks
$50
$150
Targeted Attacks
Varies,
see above
Varies,
see above
TOTAL
$1,100
$650