Spearphishing attacks have tripled and scams and malware campaigns have increased by a factor of four in the past year, resulting in $1.29 billion ($A1.2 billion) in financial losses, remediation and lost business, according to a report from Cisco released Thursday.
These and other findings were incorporated in Email Attacks: This Time It’s Personal, a report which researchers at Cisco Security Intelligence Operations compiled from surveying 361 IT professionals from 50 organisations to examine attack trends and their financial impact.
They said cyber criminals were overwhelmingly trending towards low-volume, highly sophisticated spearphishing and targeted attacks, evidenced by recent cyber assaults against RSA , Google , Lockheed Martin and Sony.
“[This year] has been the year of the breaches,” said Patrick Peterson, a Cisco security research fellow.
He said what differentiated the security landscape were the many high-profile, targeted attacks. “They’re so in your face and take such a front-page level, for various reasons. They have been on the front page and will continue to be on the front page,” he said.
As defined in the study, targeted attacks were low-volume attacks directed at a user or small group of users, using highly personalised information in social engineering schemes while containing malware or advanced, persistent threats that exploited zero-day vulnerabilities to compromise users’ accounts and steal sensitive data or intellectual property. Often targeted attacks appeared legitimate communications, allowing them to bypass spam and URL filters.
Like targeted attacks, spearphishing attacks can use personal information, but are typically directed at a specific profile or type of user with a commonality, usually high profile executives in an organization, and don’t always embed malware or exploit zero-day vulnerabilities. Researchers said that the sharp rise of spearphishing and targeted attacks is largely due to growing profits gained by the attacks. Profits garnered from spearphishing have tripled over the past year for cyber criminals, growing from $US50 million to $US150 million while a spearphishing attack can yield a profit 10 times greater than from a mass attack, according to the report.
Despite the explosive adoption of social media in the past two years, the study indicated that e-mail was the primary threat vector for such attacks because it provided access to C-level executives and administrators in the enterprise, researchers said.
Meanwhile, the report found that criminal profits acquired by mass attacks -- general attacks delivered over e-mail -- more than halved from $US1.1 billion a year ago.
And spam volumes plummeted from 300 billion daily spam messages to 40 billion in the period while its profitability fell to $US300 million from $US1 billion.
Researchers said that the sharp drop in mass attacks can be attributed to the eradication of many high profile botnets -- large networks of infected computers operated by a command and control center -- which were the primary vehicle for proliferation of spam.
The drop in spam attacks can also be blamed on expanded detection capabilities and US collaboration with international law enforcement, that have served as a deterrent for large-scale attacks.
Rise In malicious threats
But the decline in mass attacks was offset by a sharp uptick of scams and malicious attacks, which comprised 2 percent of mass attacks. The study found that scams and malicious attacks -- attacks that had infected links, attachments or videos -- quadrupled over the past year, growing from $US50 million to $US200 million.
To deal with the multitude of threats, organisations often incurred costs on multiple fronts, the study found.
In addition to financial loss related to the attack, breached organisations had remediation costs, including lost time and opportunity cost to fix the infected host, which averaged about 2.1 times the direct monetary loss.
“We’re seeing demands for more controls for things like intellectual property and military industrial secrets,” said Tom Gillis, Cisco general manager of security technology business unit.
“There’s a lot to deal with if you’re the security professional.”
The study estimated that loss of reputation cost organisations on average 6.4 times the amount of the initial monetary loss.