Cisco Report: Spearphishing Attacks Triple As Victims' Costs Hit $1.29 Billion

Spearphishing attacks have tripled and scams and malware campaigns have increased by a factor of four in the last 12 months, resulting in $1.29 billion in financial losses, remediation and lost business, according to a report from Cisco released Thursday.

These and other findings were incorporated in ’Email Attacks: This Time It’s Personal,’ a report which researchers at Cisco Security Intelligence Operations compiled from surveying 361 IT professionals from 50 organizations in an effort to examine attack trends and their financial impact on organizations.

Above all, Cisco researchers said that cyber criminals are overwhelmingly trending toward low-volume but highly sophisticated spearphishing and targeted attacks, evidenced by a spate of recent cyber assaults against RSA , Google , Lockheed Martin and Sony.

’2011 has been the year of the breaches,’ said Patrick Peterson, a Cisco security research fellow, during a Cisco press event Thursday.

Peterson added that what differentiated the security landscape now is the number of high-profile, targeted attacks. ’They’re so in your face and take such a front-page level, for various reasons. They have been on the front page and will continue to be on the front page,’ he said.

As defined in the study, targeted attacks are low-volume attacks directed at a specific user or small group of users, using highly personalized information in social engineering schemes while containing malware or advanced persistent threats that exploit zero-day vulnerabilities in order to compromise users’ accounts and steal sensitive data or intellectual property. Often targeted attacks appear legitimate, allowing them to bypass spam and URL filters.

Like targeted attacks, spearphishing attacks can use personal information, but are typically directed at a specific profile or type of user with a commonality, usually high profile executives in an organization, and don’t always embed malware or exploit zero-day vulnerabilities. Researchers said that the sharp rise of spearphishing and targeted attacks is largely due to growing profits gained by the attacks. Total profits garnered from spearphishing have tripled over the last year for cyber criminals, growing from $50 million to $150 million over the last 12 months, while a spearphishing attack can yield a profit 10 times greater than from a mass attack, according to the report.

Despite the explosive adoption of social media in the last two years, the study indicated that e-mail remains the primary threat vector for targeted and spearphishing attacks, primarily because it provides access to C-level executives and administrators in the enterprise, researchers said.

Meanwhile, the report found that criminal profits acquired by mass attacks -- general attacks delivered over e-mail -- declined by 50 percent from $1.1 billion in June 2010 to $500 million in June 2011.

In addition, spam volumes plummeted from 300 billion daily spam messages to $40 billion over the last 12 months, representing an 80 percent overall drop.

Correspondingly, spam attack profitability fell to $300 million in June of 2011 down from $1 billion a year ago, the study revealed.

Researchers said that the sharp drop in mass attacks can be attributed to the eradication of many high profile botnets -- large networks of infected computers operated by a command and control center -- which were the primary vehicle for proliferation of spam.

The drop in spam attacks can also be blamed on expanded detection capabilities and U.S. collaboration with international law enforcement, that have served as a deterrent for large-scale attacks.

Next: Decline In Mass Attacks Offset By Rise In Malicious Threats

However, the decline in mass attacks is offset slightly by a sharp uptick of scams and malicious attacks, which comprise 2 percent of all mass attacks. The study found that scams and malicious attacks -- attacks that contain infected links, attachments or videos -- have quadrupled over the last year, growing from $50 million in cybercriminal profits in June 2010 to $200 million in profits by June 2011.

To deal with the multitude of threats, organizations often incur costs on multiple fronts, the study found.

In addition to financial loss directly related to the attack, breached organizations also suffer remediation costs, which include lost time and opportunity cost in order to address the infected host, which average around 2.1 times the direct monetary loss.

’We’re seeing demands for more controls for things like intellectual property and military industrial secrets,’ said Tom Gillis, Cisco general manager of security technology business unit, during a press event Thursday. ’There’s a lot to deal with if you’re the security professional.’

Meanwhile, cyber attack victims also suffer loss of reputation, including branding issues, declining share value, customer attrition and lost opportunities. The study estimated that loss of reputation cost organizations on average 6.4 times the amount of the initial direct monetary loss.