Endpoint

8/21/2017
12:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Tuesday: Spammers' Favorite Day of the Week

Spammers are most active when their targets are online, with the highest level of activity on Tuesday, Wednesday, and Thursday.

If you've ever wondered when spammers are most active, take a look at your work schedule. More than 83% of spam is sent on weekdays, with activity at its highest on Tuesday.

Researchers at IBM X-Force Kassel, which operates spam honeypots and monitoring, dug into six months of data to learn about the days and times when spammers and their spam bots do the most work. The team has access to data from billions of unsolicited emails sent each year.

This research focused on data from December 2016 to June 2017. During this timeframe, the biggest day for spam was Tuesday, followed by Wednesday and Thursday. Activity dropped on weekends across geographies, which were determined using spam senders' IP addresses.

Spammers have been consistently shifting their operating hours to align with potential victims, says Limor Kessem, executive security advisor for IBM Security. As more attackers target businesses, they also adopt the traditional 9-to-5 corporate work schedule.

"It goes hand-in-hand with the fact that a lot of malware spam is directed at company employees," says Kessem of the trend. "More are going after company accounts, it only makes sense they're going to be more integrated into the business week."

The workday starts around 5AM UTC (1AM EST) as spammers start hitting European targets and gradually follow the sun to the United States. It wraps up around 8PM UTC (4PM EST). Some spam continues afterwards but is "likely only in the US," researchers estimate. They also noticed an "undercurrent" of spam ongoing for 24 hours per day across time zones.

While most spam is sent during the week, there are spammers and spam bots operating on weekends, Kessem notes. Those working weekends are active around the clock. Spam peaks begin at midnight, hit a second peak around 1PM (UTC), and dies down around 11PM before starting up again one hour later. 

India was the top spam originator in this dataset, with 30% of messages in six months, followed by South America (25%) and China (11%), respectively. Spammers tended to be more active during the day, and drop off at night, across Europe, India, and South America.

Russian spammers were most active on Thursday and Saturday, and didn't change much throughout the week. North America and China had the most consistent spam with no significant drops.

Researchers did consider that criminals could be spamming from a different country while contracting services from overseas. Spam origin is significant because threat actors typically target victims in their own country to appear legitimate and bypass spam filters.

The changes in spammers' schedules coincide with another trend: the use of different malware families, such as banking Trojans and ransomware, to target businesses as opposed to sending spam to indiscriminate users' email accounts. The gangs behind Dridex, TrickBot, Qakbot, and other gang-owned malware, spam employees at times they're likely to be opening email.

Researchers detected an increasing level of sophistication as attackers bypass spam filters to target new victims. Kessem points to the Necurs botnet, which was active earlier in 2017 and generated a wealth of automated spam. Necurs has shifted its tactics in the past few months, from lacing Office documents with malicious exploits to delivering fake DocuSign files.

"Typically spammers will strive to use botnets as much as they can," says Kessem of automation. "It depends on the resources they have available to them, and it depends on the botnets out there servicing spammers."

Botnets are primarily used among cybercrime groups, but spammers employ a variety of techniques including mailers, traffic distribution systems, and hijacked computers to accelerate and broaden the spread of their campaigns.

"The important thing is to understand the adaptation of cybercriminals," Kessem says. Spam is an old threat, but attackers are innovating and changing their tactics to keep it relevant.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jolinamcconaughey
50%
50%
jolinamcconaughey,
User Rank: Apprentice
8/25/2017 | 6:45:27 AM
Re: Work Week Driven
AMAZING
andrewsymond
50%
50%
andrewsymond,
User Rank: Apprentice
8/25/2017 | 5:39:52 AM
Re: Work Week Driven
yeah
warrenzephaniah
50%
50%
warrenzephaniah,
User Rank: Apprentice
8/25/2017 | 5:37:42 AM
Re: Work Week Driven
lol
brucebrennan
50%
50%
brucebrennan,
User Rank: Apprentice
8/25/2017 | 1:58:31 AM
Re: Work Week Driven
yeah
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/23/2017 | 7:43:02 AM
Re: Work Week Driven
@Joe, I definitely know people like that as well. As you stated, it would be interesting to survey employees outside of work email habits.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:41:09 PM
Re: Work Week Driven
@Ryan: I'm curious to know some data on that. I know some people who are exactly like that -- and others who are "always on" -- checking their work email often as soon as they get up in the morning (even if it's a day off).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:40:13 PM
Re: Work Week Driven
I'm not so sure about the "puffery" of it considering the evolution of increasingly more "intelligent" networks. It may, potentially, make sense one day, as we work toward true SONs (self-organized networks), to have heightened strictness of certain measures during times when the network is more prone to attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:38:43 PM
Online activity
This is insightful considering that this seems to track with social-media engagement -- which, perforce, is also linked to levels of online activity. Tuesday is typically the biggest day for online engagement, in general.
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
8/22/2017 | 10:14:16 AM
Re: Work Week Driven
True enough - the threats are a 24-7-365 reality so this is really a puff piece.
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
8/22/2017 | 9:43:48 AM
New information?
This doesn't seem like new information in terms of when Spam is sent, I could have derived this report from scanning my inbox.  In addition, even after reading the IBM source article, it isn't exactly clear what the originator information means.  Does India lead in sending Spam around the world or as the article implies, Spam tends to be sent from the target email's country of origin which would seem to infer that Indians receive more Spam than any other nationality.  And by quite a large margin.  If this is the case, given how much US offshore development is sourced from India an interesting article would be to use this data to start an examination of the state of security in the Indian Tech sector.
Page 1 / 2   >   >>
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.