Editors: Michael Lesk, lesk@acm.org | Jeffrey MacKie-Mason, jmm@umich.edu

Security & Privacy economicS

1540-7993/13/$31.00 © 2013 IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2013 89

When Does Targeting Make Sense for an Attacker?Cormac Herley | Microsoft Research

H ow do so many Internet users escape harm? The range of

attacks is enormous and grow-ing, and we know that most users neglect even basic defense mea-sures. Yet things somehow muddle along: 2 billion people use the Internet and seem to derive more good than harm from it. If secu-rity is only as good as the weak-est link, why don’t worst-case outcomes happen regularly? Why isn’t everyone hacked every day? The answer might lie in econom-ics rather than technology.

Scalable and Nonscalable AttacksLet’s segment attacks into two types—those that scale and those that don’t.1 Scalable (s) attacks have costs that grow much more slowly than linearly in the number, N, of users attacked. Doubling the number of users attacked causes costs (C) to increase by far less than a factor of two: Cs(2N) << 2 Cs(N). Thus, the cost of a scal-able attack scarcely grows with the number of users attacked. Phish-ing is scalable, as is any attack that

uses spam as the spread vector. Drive-by-download attacks, self-replicating viruses, and any attacks that can be completely automated are scalable because cost depends very little on the number of users attacked. Scalable attacks’ eco-nomics are similar to software products or information goods in that first-copy costs dominate.2

Nonscalable (ns) attacks are everything else. In contrast, they generally have a linear cost depen-dence on the number of users attacked. Doubling the number attacked doubles the cost: Cns(2N) ≈ 2 Cns(N). Anything that requires per-user effort is nonscalable. Attacks that involve knowledge about the target aren’t scalable. For example, the majority of the social engineering attacks Kevin Mitnick describes in The Art of Deception require elaborate target-specific effort.3 These attacks certainly don’t scale unless the information can be gathered by a script. Thus, learning the likely answers to backup authen-tication questions isn’t scalable. It’s difficult to gather the pet’s name, favorite sports team, or favorite

high school teacher for a million users in an automated way. In addi-tion, physical side-channel attacks, which require proximity, aren’t scalable: getting close to a million people costs a lot more than getting close to one.

This segmentation into scalable and nonscalable attacks is obvi-ously a simplification. Even spam has a linear cost component (for instance, gathering target addresses and finding enough machines and IP addresses to do the sending). However, first-copy costs domi-nate, so doubling the attack size has little effect on the overall cost. In addition, scalable attacks might need to be followed by a nonscal-able component. Whereas phishing might harvest passwords in bulk, the process of cashing out might be nonscalable and one-by-one. None-theless, this simplified segmenta-tion of the attack space will prove useful. Interestingly, the attacker investment or team size necessary to achieve an effect proves useful in other areas such as attacks on vot-ing systems.4

Economic Properties Because of their cost structure, scal-able attacks generally reach orders of magnitude more users than nonscalable attacks. Brute-force guessing attacks can be directed at a large Web service’s hundreds of millions of accounts, while non-scalable attacks, such as shoulder surfing, might reach only dozens for the same cost. Generic spam campaigns reach hundreds of mil-lions, whereas carefully researched, personalized spear-phishing attacks might reach tens of people for the

same cost. The disparity in terms of reach is enormous.

Scalable attacks are nonselec-tive. They target anyone and every-one. Because the marginal cost per additional user is close to zero, leav-ing reachable targets unattacked makes no sense. Consequently, scalable attacks are nonadaptive—personalization and customization are very limited. This is why 419 (Nigerian-style) and lottery scam emails generally begin “Dear Sir/Madam” or “Attn.: Beneficiary.” A script can accommodate popula-tion segments (for instance, a mali-cious server might attempt different exploits depending on the browser version) but can’t customize on an individual level.

The objects of scalable attacks are (or become) commodities. Because attack scripts are auto-mated, they can be passed to many. As automation improves, the skill needed decreases and the pool of potential attackers grows, and so does supply. Thus, scalable attacks often exhibit race-to-the-bottom economics (in which the lowest-price producer dominates) similar to information goods.2 Again, the product of scalable attacks must sometimes be processed by a non-scalable monetization strategy.5 For example, passwords are harvested in great numbers by scalable attacks, but cashing out involves the (non-scalable) recruitment and manage-ment of money mules.6 If attacks generate product faster than the monetization strategy can process it, a glut ensues and the price will likely fall. Anecdotal evidence sug-gests that the asking prices for sto-len credit card numbers, passwords, botnet machines, and Captcha-solving services have indeed been falling. Thus, scalable attacks’ value, Vs, tends to decrease with time. This echoes the regular economy: mass-produced commodities tend to fall in value over time as the ability to scale up gets better.

Competing against Scalable AttacksMost resources can be attacked in many different ways, some of them scalable, some of them not. If we view attacking as an economic proposition, how do scalable and nonscalable attacks divide the opportunity between them?

Scalable attacks have enviable reach, but offer a very restricted palette of options. Costs that grow more slowly than linearly are the exception rather than the rule; the vast majority of attacks don’t have this property. On the other hand, there’s an almost unlimited suite of nonscalable attacks, but again, on a per-user basis they’re far more expensive. Spam-based attacks, for example, seem to be able to attack users for pennies per million.7 Non-scalable attacks could easily cost six or seven orders of magnitude more than this per attacked user. Their greater cost suggests that attackers must reserve nonscalable attacks for cases in which the target’s value is extremely high.

Let’s be more precise and exam-ine how a nonscalable attack fares when it competes for the same resource against a scalable one. If N is the number of users attacked, Y is the yield (that is, the fraction of users who succumb), and V is the average value extracted from those who succumb, then the return for any attack is NYV. The yield, aver-age value, and number attacked will be different for scalable and non-scalable attacks, so the question is under what circumstances does a nonscalable attack do better? That is, when is NsYsVs < NnsYnsVns?

The nonscalable attacker has a structural disadvantage: he is beaten by orders of magnitude in terms of the number of users he can reach for a given cost, so Ns >> Nns. The only way he can beat the scalable return is if he can make up the difference in yield, extracted value, or some com-bination of the two.

If the nonscalable attacker extracts the same value per user as his scalable counterpart (that is, Vs = Vns), then he must make up the difference in yield alone. Effec-tively, he competes on price: the good produced is the same, so he must achieve lower cost. However, recall that scalable attacks produce commodity goods, with race-to-the-bottom economics: Vs tends to fall with time. So, if Vs = Vns, both attacks must reduce per-user cost as extracted value falls. Improving automation can deliver these sav-ings for the scalable attacker, but the nonscalable attacker must accept steadily falling return as Vs falls. Thus, although the yield on scalable attacks is often very low (so beating the scalable attacker significantly there is likely), this isn’t enough: if Vs = Vns the nonscalable attacker faces constantly decreasing returns.

This suggests that at least some of the orders of magnitude lost in reach must be made up in extracted value. So, for successfully attacked users, the extracted value from a nonscalable attack, Vns, must be many times greater than from a scal-able one (that is, Vs << Vns ).

Thus, a nonscalable attack re-quires two things to compete suc-cessfully.1 First, there must be some users whose extractable value is much higher than average. If the nonscalable attacker’s cost per user is orders of magnitude higher, then he needs to extract orders of magni-tude more when he succeeds. Sec-ond, those high-value users must be observable. It does the attacker no good to know that they exist if he doesn’t know where.

Consider two extreme cases that illustrate the difficulty. First, sup-pose that value is uniformly distrib-uted: every user has equal value. Nonscalable attacks make no sense in this case because the scalable attacks gather them at far lower cost. At another extreme, suppose that value is concentrated but entirely

90 IEEE Security & Privacy March/April 2013

Security & Privacy economicS

unobservable. Again, the nonscal-able attacker can’t compete if there are good victims who can’t be found. Concentration and observ-ability of the extractable value are absolute requirements.

Concentration and Observability of ValueSo, when is value concentrated enough that some users have extractable value that’s orders of magnitude higher than the aver-age? Again, the worst scenario for nonscalable attackers is when value is uniformly distributed. A slightly better scenario is any distribution in which variance is high, so at least some users have significantly higher value. Best are heavy-tailed distributions in which a large por-tion of the overall value lies with a few individuals. Fortunately for the nonscalable attacker, many phe-nomena follow power-law distribu-tions (such as Pareto). For example, wealth is power-law distributed, with 1 percent of the US population owning approximately 35 percent of the wealth.8

However, in these distributions, the mean is higher than the median, so most people have below-average value. In other words, for distribu-tions that favor nonscalable attacks, the vast majority of people have below-average value. Because non-scalable attackers need much higher than average value, they must leave the vast majority of users alone.

When is value observable? Fame is an obvious example. There’s little mystery about who is famous. Non-scalable attackers who seek the noto-riety of hacking celebrity accounts know exactly where to direct their efforts. Thus, Sarah Palin’s email, Lindsay Lohan’s Twitter account, and Scarlett Johansson’s phone were each hacked by trawling public infor-mation, but the hacks were done at different times by different attack-ers and involved significant effort. Those attacks weren’t scalable.

Wealth is more complicated. Although it’s observable that some are much richer than others, attack-ers care only about extractable wealth. They can easily identify bil-lionaires, but the amount they can extract isn’t necessarily proportional to net worth. For most consumers, transactions larger than a few hun-dred dollars are easily detected and often rolled back.6 Thus, the dis-tribution is closer to uniform than our attackers would like. Small busi-nesses appear to be much better targets: it’s observable that extract-able value is concentrated there, and large transactions might arouse less suspicion at a busy company than in consumer accounts.

A very interesting case is one in which value is concentrated but not observable, such as when value is due to sloppy security practices. For example, many users undoubt-edly choose their dog’s name as a password or answers for backup authentication questions that are easily learned, for instance, from social network postings. Their lack

of care makes them easy targets, but that helps the attacker only if he knows that they’re easy targets or has already decided to attack them.

Gullibility is another unobserv-able quality. The value for Nigerian, lottery, and related scams is con-centrated among the most gullible. We can view these scams as having a scalable spam campaign front end that reveals the desired but unob-servable quality by getting the best marks to step forward.9

Proximity of attacker and victim, as well as noneconomic motives, might increase value. For example, a webmail password might be of little value to a hacker who wants to monetize it but very valuable to a jealous ex–significant other.

S o what have we learned? The Internet has put billions of peo-

ple in easy reach of criminals and scammers. This is certainly alarm-ing. However, the Internet has also been cruel to businesses that don’t scale. In the legal economy, business

Register today! http://www.ieee-security.org/TC/SP2013/

19-22 May 2013San Francisco, CA, USA

The 2013 Symposium will mark the 34th annual meeting of this flagship conference. Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field.

IEEE SP 201334th IEEE Symposium on Security and Privacy

www.computer.org/security 91

models that don’t scale have been replaced with ones that do, and models that do scale have been replaced with ones that scale bet-ter. Personal travel agents gave way to Kayak, Expedia, and Travelocity; small booksellers couldn’t compete with Amazon. It’s not an accident that it’s all but impossible to get a human being on the phone at large Web services: that cost doesn’t scale. This trend is unkind to those with linear cost structures. The driv-ing forces in the illegal economy aren’t different—nonscalable strate-gies are pushed to the fringes where high margins can be supported.

Only a minority of attacks are scalable, but those that are reach everyone. Most attacks are nonscal-able, but the vast majority of users never see them. In this view, nonscal-able attackers are artisan craftsmen in the age of mass production. When competing against scalable attacks,

they must be extremely selective. Unless value is both concentrated and visible, their attacks are uneco-nomic. Even then, only the most valuable targets should be attacked. This suggests a partial answer to the puzzle of the missing worst-case out-comes. Users are constantly attacked by the low-yield automated attacks, such as spam and phishing. However, expensive attacks, such as high-touch social engineering,3 and attacks that require physical proximity10 are uneconomic at scale and pose little threat to the masses. The 99 percent or so of users who don’t have vis-ibly above-average value must guard primarily against scalable attacks. In assessing the economic impact of an exploit or attack, we should first ask how well it scales.

References1. C. Herley, “The Plight of the

Targeted Attacker in a World of

Scale,” Proc. Workshop Econom-ics of Information Security, 2010; http://research.microsoft.com/pubs/132068/TargetedAttacker.pdf.

2. C. Shapiro and H. Varian, Informa-tion Rules, Harvard Business School Press, 1999.

3. K. Mitnick and W.L. Simon, The Art of Deception, Wiley, 2002.

4. E.L. Lazurus et al., “Applying a Reusable Election Threat Model at the County Level,” Proc. 2011 Conf. Electronic Voting Technology/Work-shop Trustworthy Elections (EVT/WOTE 11), Usenix, 2011, p. 12.

5. A. Odlyzko, “Providing Secu-rity with Insecure Systems,” Proc. ACM Conf. Wireless Network Secu-rity (WiSec 10), ACM, 2010, pp. 87–88.

6. D. Florêncio and C. Herley, “Is Everything We Know about Pass-word Stealing Wrong?,” IEEE Secu-rity & Privacy, vol. 10, no. 6, pp. 63–69.

7. C. Kanich et al., “Spamalytics: An Empirical Analysis of Spam Mar-keting Conversion,” Proc. 15th ACM Conf. Computer and Commu-nications Security, ACM, 2008, pp. 3–14.

8. “Survey of Consumer Finances,” Federal Reserve Board, 8 Feb. 2013; www.federalreserve.gov/econres data/scf/scfindex.htm.

9. C. Herley, “Why Do Nigerian Scammers Say They Are from Nige-ria?,” Proc. Workshop Economics of Information Security, (WEIS 12), 2012; http://research.microsoft.com/pubs/167719/W hyFrom Nigeria.pdf.

10. M. Backes, M. Duermuth, and D. Unruh, “Compromising Reflec-tions: How to Read Computer Monitors around a Corner,” IEEE Symp. Security and Privacy, IEEE CS, 2008, pp. 158–169.

Cormac Herley is a principal re-searcher at Microsoft Research. Contact him at cormac@ microsoft.com.

ADVERTISER PAGEICSE 2013 33IEEE Biometrics Cover 2University of Waterloo 4Usenix 2013 Cover 3

Advertising PersonnelMarian AndersonSr. Advertising CoordinatorEmail: manderson@computer.orgPhone: +1 714 816 2139Fax: +1 714 821 4010

Sandy BrownSr. Business Development Mgr.Email: sbrown@computer.orgPhone: +1 714 816 2144Fax: +1 714 821 4010

Advertising Sales Representatives (display)Central, Northwest, Far East:Eric KincaidEmail: e.kincaid@computer.orgPhone: +1 214 673 3742Fax: +1 888 886 8599

Northeast, Midwest, Europe,Middle East:Ann & David SchisslerEmail: a.schissler@computer.org, d.schissler@computer.orgPhone: +1 508 394 4026Fax: +1 508 394 1707

Southwest, California:Mike HughesEmail: mikehughes@computer.orgPhone: +1 805 529 6790

Southeast:Heather BuonadiesEmail: h.buonadies@computer.orgPhone: +1 973 585 7070Fax: +1 973 585 7071

Advertising SalesRepresentative(Classifi ed Line & Jobs Board)Heather BuonadiesEmail: h.buonadies@computer.orgPhone: +1 973 585 7070Fax: +1 973 585 7071

ADVERTISER INFORMATION • MARCH/APRIL 2013

92 IEEE Security & Privacy March/April 2013

Security & Privacy economicS