Spear phishing prefered by cyber criminals to traditional spam campaigns

Cyber criminals are scrapping widespread malicious email campaigns for more targeted attacks.

"Cyber criminals are balancing competing priorities," a Cisco report said. "Infect more users or keep the attack small enough to fly under security vendors' radar."

The report revealed a dramatic drop in profits accrued by criminals who launch traditional attacks, such as delivering malware-laden or phishing emails. Not surprisingly, Cisco researchers estimate that the returns for mass email-based attacks have fallen from $1.1 billion annually in June 2010, to $500 million annually this month. In that same period, daily spam volume sharply has fallen from 300 billion messages per day to 40 billion.

But the criminals have not shut up shop yet. Instead, they have begun to find cost benefit in perpetrating stealthier, spear phishing attacks, which are aimed at specific individuals. Often, these offensives seek to steal intellectual property from high-profile organisations. The number of spear phishing attacks has increased threefold over the past year, the report said.

"For an individual campaign, the economics of a spear phishing attack can be more compelling than for a mass attack," the report said. "The costs are significantly higher, but so too are the yield and benefit."

The report found that costs for these types of assaults often range as high as five times as much as launching a traditional mass attack because of the required resources, including customised malware and background research on the targets. But the return on investment can reach ten times that of a mass attack.

"Spear phishing attack campaigns are limited in volume but offer higher user open and click-through rates," the report said.

Sign up to our newsletters