Cisco’s Security Intelligence Operations group has published a new report, Email Attacks: This Time It’s Personal (PDF) that indicates the Internet is experiencing a fundamental shift in the nature of spam: instead of spammers relying on sending as many messages as possible and hoping to get responses from a tiny fraction of one percent of gullible recipients, spammers are shifting to a far smaller number of targeted, personalized attacks—a.ka. spearphishing. The good news is that the overall volume of mass spam has declined sharply, along with the amount of money criminals gain from them. The bad news is that targeted attacks are up sharply…and criminals make a lot more money every time one of them succeeds.
“Cybercriminal business models have recently shifted towards low-volume targeted attacks,” Cisco wrote. “With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations.”
According to Cisco, spam volumes peaked at an average of about 300 billion spams per day in June 2010 down to about 40 billion spams a day in June 2011. With that decline, spammers have also found the amount of money they haul in from mass email spam is going down: Cisco estimates mass spam attacks netted spammers about $1.1 billion in June 2010, but that figure dropped to $500 million by June 2011.
One reason that spammers’ revenues haven’t declined in proportion to the amount of messages they send out is that an increasing number of messages are individualized with personalization tools and other information designed to pull in a potential victim and “convert” them into a paying victim, or get them to click through to a site that will try to install malware. Cisco estimates that spammer revenue from these customized attacks grew from $50 million in June 2010 to $200 million by June 2011.
Cisco also notes that while spam filters and blocking technologies are able to block about as many targeted attacks as mass attacks, targeted attacks are far more likely to be opened by their intended victims, and have click-through rates as high as 50 percent.
Cisco also credits the decline in mass attack spam to the work of industry organizations, security firms, and law enforcement, noting that in the last year botnets like SpamIt, Rustock, Bredolab, and Mega-D have been severely curtailed by law enforcement actions.