Cisco Cisco Email Security Appliance X1070 Livre blanc
3
Cisco Security White Paper
Email Attacks: This Time It’s Personal
sages. Knowledgeable users often ignore the spam messages
and open only a small percentage of them (Stage C). Of
these, only a fraction of users will click through (Stage D) and
finally be “converted” (Stage E) when the unsuspecting user
purchases products or downloads malware.
and open only a small percentage of them (Stage C). Of
these, only a fraction of users will click through (Stage D) and
finally be “converted” (Stage E) when the unsuspecting user
purchases products or downloads malware.
Figure 1: Threat Conversion Pipeline
This traditional spam pipeline still exists, but it has also evolved
with increasing personalization, most acutely in targeted
attacks. Targeted attacks typically hold much higher retention
throughout the pipeline, as the email and website link are sent
to valid users and appear legitimate to security engines and
recipients. While the volumes are low, the conversion rates of
targeted attacks are much higher. The higher conversion rates
come at the cost of higher-value inputs:
with increasing personalization, most acutely in targeted
attacks. Targeted attacks typically hold much higher retention
throughout the pipeline, as the email and website link are sent
to valid users and appear legitimate to security engines and
recipients. While the volumes are low, the conversion rates of
targeted attacks are much higher. The higher conversion rates
come at the cost of higher-value inputs:
• Lists of only valid email addresses with defined attributes
• Legitimate-appearing messages, often purportedly from
a known contact with content specific to the recipient(s)
• Higher-quality and typically not-yet-discovered malware
• New websites often created specifically for an individual
instance of a targeted attack (and not previously seen)
This is criminal Darwinism at work: Cybercriminals are
adapting their campaigns to increase their staying power.
adapting their campaigns to increase their staying power.
blocked
(B)
targeted
users (A)
opened
(C)
clicked
through (D)
converted
(E)
victimized
users
99%
3%
5%
Mass
Attack
Targeted
Attack
50%
99%
70%
50%
50%
1,000,000
1,000
8
2
Attack Classifications
As cybercriminal activity continues to evolve, the specific
attacks and their impact to organizations also change.
attacks and their impact to organizations also change.
Mass Attacks
Mass attacks have been the basis of threats since the
first days of distributed networks. Self-propagating worms,
distributed denial of service (DDoS) attacks, and spam are
some preferred methods for achieving financial gain or
business disruption. The criminal creates a common payload
and places it in locations that victims might access, often inadver-
tently. Examples include infecting websites, exploiting security
vulnerabilities in file formats such as PDFs, sending emails to
make a purchase, and mass phishing of banking credentials.
Traditional anti-threat methods rely on several factors,
including quickly identifying the threat when first reported or
seen in the network and then blocking similar threats in the
future. If criminals infiltrate the security layers far enough to
reach their targets, they’ll achieve the desired result in
sufficient quantities to make this business model lucrative.
A significant segment of this type of attacks is the burgeoning
number of scams and malicious attacks. As part of the
evolution of the criminal ecosystem, these attacks are becoming
highly focused. Regardless of the vector or delivery engine—
including short message service (SMS), email, and social
media—criminals are choosing their targets with greater care,
using personalized information such as a user’s geographical
location or job position. Examples of these scams include:
first days of distributed networks. Self-propagating worms,
distributed denial of service (DDoS) attacks, and spam are
some preferred methods for achieving financial gain or
business disruption. The criminal creates a common payload
and places it in locations that victims might access, often inadver-
tently. Examples include infecting websites, exploiting security
vulnerabilities in file formats such as PDFs, sending emails to
make a purchase, and mass phishing of banking credentials.
Traditional anti-threat methods rely on several factors,
including quickly identifying the threat when first reported or
seen in the network and then blocking similar threats in the
future. If criminals infiltrate the security layers far enough to
reach their targets, they’ll achieve the desired result in
sufficient quantities to make this business model lucrative.
A significant segment of this type of attacks is the burgeoning
number of scams and malicious attacks. As part of the
evolution of the criminal ecosystem, these attacks are becoming
highly focused. Regardless of the vector or delivery engine—
including short message service (SMS), email, and social
media—criminals are choosing their targets with greater care,
using personalized information such as a user’s geographical
location or job position. Examples of these scams include:
• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user
or group of users for financial gain
When only a few threats are sent, these strategies may be
effective in reaching the victims, but may not always prove
cost effective to the criminals. Yet, for reaching high-value
victims, this approach is increasingly being leveraged by
smart, organized, and profit-driven criminals. When criminals
are specific about their victim profiles, these threats are
referred to as spearphishing attacks.
Spearphishing attacks are aimed at a specific profile of users,
often high-ranking organizational users who have access
to commercial bank accounts. Spearphishing attacks are
typically well crafted; they use contextual information to make
users believe they are interacting with legitimate content.
The spearphishing email may appear to relate to some
specific item of personal importance or a relevant matter at
the company—for instance, discussing payroll discrepancies
or a legal matter. According to Cisco SIO research, more than
80 percent of spearphishing attacks contain links to websites
with malicious content. Yet, the linked websites are often
specially crafted and previously unseen, making them
complex to detect.
effective in reaching the victims, but may not always prove
cost effective to the criminals. Yet, for reaching high-value
victims, this approach is increasingly being leveraged by
smart, organized, and profit-driven criminals. When criminals
are specific about their victim profiles, these threats are
referred to as spearphishing attacks.
Spearphishing attacks are aimed at a specific profile of users,
often high-ranking organizational users who have access
to commercial bank accounts. Spearphishing attacks are
typically well crafted; they use contextual information to make
users believe they are interacting with legitimate content.
The spearphishing email may appear to relate to some
specific item of personal importance or a relevant matter at
the company—for instance, discussing payroll discrepancies
or a legal matter. According to Cisco SIO research, more than
80 percent of spearphishing attacks contain links to websites
with malicious content. Yet, the linked websites are often
specially crafted and previously unseen, making them
complex to detect.