Don't like Mondays? Neither do attackers

Don't like Mondays? Neither do attackersMonday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say.

Timing is everything. Attackers pay as close attention to when their victims will be online as they do crafting their campaigns. Spammers have been moving towards the traditional 9-to-5 corporate workday as they increasingly shift their focus on targeting corporate accounts.

Researchers at IBM X-Force Kassel analyzed billions of spam messages gathered by its spam honeypots from December 2016 to June 2017 and found more than 83% of spam was sent on weekdays, with Tuesday showing the most activity, followed by Wednesday and Thursday.

The spammer’s workday appears to start around 5am UTC, or 1am EST, to target European employees, and the majority of the activity stops around 8pm UTC, or 4pm EST. Groups that worked weekends tended to work around the clock, peaking around midnight and at 1pm UTC, and slowing down around 11pm UTC.

“That’s because spammers start off with Europe before they follow the sun and start spamming recipients in the US,” the researchers wrote, noting that some spam activity targeting victims in the United States continues past this time.

Timing matters

IBM X-Force findings align with Proofpoint’s Human Factor Report from earlier this year that malicious email attachment message volumes spike more than 38% on Thursdays over the average weekday volume. Wednesdays were the second highest days for malicious emails, followed by Mondays, Tuesdays and Fridays. Weekends tend to be low-volume days for email-borne threats, but that doesn’t mean there aren’t any.

“Attackers do their best to make sure messages reach users when they are most likely to click: at the start of the business day in time for them to see and click on malicious messages during working hours,” Proofpoint researchers wrote in the report, which analyzed malicious email attachment message traffic in 2016.Malicious emails can arrive any day of the week, but Proofpoint’s analysis found that attackers prefer certain days of the week for certain threat categories. Keyloggers and backdoors tend to kick off the week on Mondays, and Wednesdays are peak days for banking Trojans.

Ransomware messages tend to be sent between Tuesdays and Thursdays. Point-of-sale Trojans arrive later in the week, on Thursdays and Fridays, when security teams have less time to detect and mitigate new infections before the weekend. Nearly 80% of point-of-sale campaigns in 2016 occurred on one of those two days.

“With few exceptions, ransomware was the only category of malware sent on weekends,” Proofpoint said in the report.

IBM X-Force looked at the origin IP addresses of the spam messages, and found spammers in different geographic regions preferred different days for their attacks. Russian spammers were the most active on Thursday and Saturday, while North American and Chinese spammers remained constant throughout the week.

While it’s possible the criminals were contracting with spammers in different countries to send the messages, IBM X-Force researchers noted that most spammers tend to target victims in the same country to appear legitimate to spam filters. Spammers in Europe, India, and South America were more likely to follow a consistent workday schedule, where activity was high during the day and dropped off at night, while North American spammers had constant activity throughout the day.

Security teams need to be particularly on alert on Thursdays — malicious attachments, malicious URLs, ransomware and point-of-sale infections all favor that day. Credential stealer campaigners also favor Thursdays. There was a clear increase in malicious attachments being sent on Thursdays, but emails with malicious URLs — the most common vector for phishing attacks designed to steal credentials — were constant throughout the week, with a slight increase on Tuesdays and Thursdays.