Mass market vs. targeted marketing: Techniques and technology behind these two strategies

Do cybercriminals have different go-to-market strategies? Does this strike you as a weird question to ask? Don’t only legitimate organizations have market strategies?

In my view, given that most cybercriminals are money focused, it shouldn’t be surprising that they apply normal marketing strategies to their businesses. After all, they are looking for a return on their investments just like legitimate businesses.

One of the takeaways from the recently released report, Mimecast Threat Intelligence Report:  Black Hat Edition 2019, is that some attackers use more simplistic attack strategies that are broadly deployed, whereas other attackers use more complex and sophisticated strategies that are deployed much more narrowly. The data for this report came from three months of analysis from Mimecast’s processing of nearly 160 billion emails on behalf of our customers. Not a small sample!

For the purposes of this blog I will refer to the cybercriminals that use the broadly deployed, but more simplistic attack strategies, as mass marketers, and the attackers that use the more sophisticated and targeted approach as targeted marketers. Like any business strategy, each approach has its positives and negatives.

One of the positives for the mass marketers is that they can periodically hit the motherload of payoffs if they hit on a particularly successful campaign that infects thousands of organizations in one go. But because of the mass distribution of their attacks, the effective lifetime and thus the utility of them often doesn’t last very long, as organizations and their security vendors quickly see them and adjust their defenses accordingly. That is why the mass marketers must keep refreshing the particulars of their approach.

For the targeted marketers, a key positive of their approach is that their techniques and malware usually maintain their utility longer as they are not being blasted out en-masse and thus often aren’t quickly detected by organizations or their security vendors. But to be successful they need to select their intended victims and fraudulent business scenarios very carefully as failure will dramatically hurt their ROI.

Characteristics of Cybercriminals go-to-market strategies:

Mass Marketers

• Rely on broadly delivered/spammy attack delivery to thousands of organizations often occurring over the course of a few hours and completing in less than a day.
• Generally, not particular about who or where their victims are
• Leverage widely distributed botnet and malware families
• Deploy exploits against widely known (but not necessarily patched) vulnerabilities
• Focused on feeding on organizations with weak security postures
• Use broadly relevant social engineering and email impersonation techniques, such as leveraging well-known internet brands and commonly used services to spoof their intended victim.

Targeted Marketers

• Selects intended victims very carefully
• Focused on organizations within particular geographies and with high valued intellectual property, such as professional services, biotechnology and management consulting firms.
• Comfortable attacking organizations with more sophisticated security programs
• Social engineering is carefully crafted using various research sources covering the targeted organization and individuals
• Use of sandbox evading malware with various forms of obfuscation is much more common as the targets’ defenses are usually stronger
• Heavily use malicious Office files as Microsoft Office is widely used within targeted organizations

The bottom line is most cybercriminals these days are money oriented, business people, with certain specialized expertise and preferred market strategies. As such, it really isn’t surprising that this gives rise to different technologies, trends, and techniques that can be observed in the wild. To delve into more of the details, check out the recently published Mimecast Threat Intelligence Report.