Armed with a list of names, numbers and email addresses for the corporation, there are dozens of tools designed to automate phishing campaigns. Or, if the attacker doesn't want to purchase the tools themselves; it can all be out-sourced to dedicated spear phishing operators. Even the content of a spear phishing email can be outsourced. There are a number of service providers that specialize in translating scam material and social engineering content from one language to another for a few dollars per hour – with some of them even operating call center support in multiple languages – designed to maximize the probability that potential victims are engineered into opening a malicious attachment or following a link to an exploit site.

For the organizations under attack it is generally impossible to distinguish between the various criminal service providers. With relative ease an attacker can effectively outsource all the major components and phases of their attack to professional third-parties – and remain anonymous. Meanwhile for those providers that leased their services to the attack (either directly or indirectly), most will care very little about who the victim may be, and have little inclination to find out. Most successful breaches should probably be labeled as "opportunistic" rather than targeted.

With that, target selection is increasingly a reflection of search engine page-rank – as the organizers of the attack refine lists of potential targets based upon the data or systems likely present within the targeted organization and those that can be easily monetized. For example, the attackers may be commissioned or seek to secure a bounty from an external entity that wishes to acquire software signing certificates. With money already on the table, all it takes is for the attackers to run a few Google searches to identify relevant software development houses and automatically work their way through the list. The selection of possible targets for attack tends to be opportunistic because the selection criteria don't matter nearly as much as the victims would like to believe.

For the breached and vulnerable victim, event logs and forensic analysis will yield many conflicting findings. With so many criminal hands being involved in the attack delivery and multiple malicious campaigns being launched simultaneously against the target, it is all too easy for the victim organization to throw their arms up in the face of a poorly understood  cybercrime ecosystem and declare they were subject to a targeted attack.


Gunter Ollmann, vice president of research at Damballa, has more than 20 years experience in the IT industry and is a well known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS), with the most recent being Chief Security Strategist. In this role he was responsible for predicting the evolution of future threats and helping guide IBM's overall security research and protection strategy, as well as being the key IBM spokesperson on evolving threats and mitigation techniques. He also held the role of Director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm.