Don’t like Mondays? Neither do attackers

You can reduce potential damage by paying attention to when attackers are most likely to strike.

trend arrow up calendar
geralt (CC0)

Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say.

Timing is everything. Attackers pay as close attention to when their victims will be online as they do crafting their campaigns. Spammers have been moving towards the traditional 9-to-5 corporate workday as they increasingly shift their focus on targeting corporate accounts. Researchers at IBM X-Force Kassel analyzed billions of spam messages gathered by its spam honeypots from December 2016 to June 2017 and found more than 83 percent of spam was sent on weekdays, with Tuesday showing the most activity, followed by Wednesday and Thursday.

The spammer’s workday appears to start around 5am UTC, or 1am EST, to target European employees, and the majority of the activity stops around 8pm UTC, or 4pm EST. Groups that worked weekends tended to work around the clock, peaking around midnight and at 1pm UTC, and slowing down around 11pm UTC.

“That’s because spammers start off with Europe before they follow the sun and start spamming recipients in the U.S.” the researchers wrote, noting that some spam activity targeting victims in the United States continues past this time.

Timing matters

IBM X-Force findings align with Proofpoint’s Human Factor Report from earlier this year that malicious email attachment message volumes spike more than 38 percent on Thursdays over the average weekday volume. Wednesdays were the second highest days for malicious emails, followed by Mondays, Tuesdays and Fridays. Weekends tend to be low-volume days for email-borne threats, but that doesn’t mean there aren’t any.

Spam volume by day IBM

This chart shows overall spam volume by day.

“Attackers do their best to make sure messages reach users when they are most likely to click: at the start of the business day in time for them to see and click on malicious messages during working hours,” Proofpoint researchers wrote in the report, which analyzed malicious email attachment message traffic in 2016.Malicious emails can arrive any day of the week, but Proofpoint’s analysis found that attackers prefer certain days of the week for certain threat categories. Keyloggers and backdoors tend to kick off the week on Mondays, and Wednesdays are peak days for banking Trojans. Ransomware messages tend to be sent between Tuesdays and Thursdays. Point-of-sale Trojans arrive later in the week, on Thursdays and Fridays, when security teams have less time to detect and mitigate new infections before the weekend. Nearly 80 percent of point-of-sale campaigns in 2016 occurred on one of those two days.

“With few exceptions, ransomware was the only category of malware sent on weekends,” Proofpoint said in the report.

IBM X-Force looked at the origin IP addresses of the spam messages, and found spammers in different geographic regions preferred different days for their attacks. Russian spammers were the most active on Thursday and Saturday, while North American and Chinese spammers remained constant throughout the week. While it’s possible the criminals were contracting with spammers in different countries to send the messages, IBM X-Force researchers noted that most spammers tend to target victims in the same country to appear legitimate to spam filters. Spammers in Europe, India, and South America were more likely to follow a consistent workday schedule, where activity was high during the day and dropped off at night, while North American spammers had constant activity throughout the day.

Security teams need to be particularly on alert on Thursdays — malicious attachments, malicious URLs, ransomware and point-of-sale infections all favor that day. Credential stealer campaigners also favor Thursdays. There was a clear increase in malicious attachments being sent on Thursdays, but emails with malicious URLs — the most common vector for phishing attacks designed to steal credentials — were constant throughout the week, with a slight increase on Tuesdays and Thursdays.

Rate of success is higher at certain times

Attackers understand employee email habits and know that hitting employees with a well-crafted email at the just the right time will bring higher success rates. Most attack emails are sent four to five hours after the start of the business day and peak around lunchtime. Proofpoint’s analysis found that nearly 90 percent of clicks on malicious URLs occur within the first 24 hours of delivery, with a half of them occurring within an hour. A quarter of the clicks occur in just ten minutes.

The time between the email’s arrival in the victim’s inbox and actually clicking on the malicious link is shortest during business hours — between 8 a.m. and 3 p.m. Eastern — in the United States and Canada. The United Kingdom and the rest of Europe had similar patterns, as well, but there were some distinct regional differences. Clicking on malicious links by French users peaked around 1 p.m., but Swiss and German users tended to peak within the early hours of the workday. UK employees spaced out their clicks throughout the day, but there was a clear drop in activity after 2 p.m.

While it’s important to block malicious messages from reaching the inbox in the first place, the other side of email defense is to be able to flag already-delivered messages and block those links after realizing they were malicious. The longer a malicious URL is in the inbox, the more likely it is that the user will click on it. Being able to block those links, or proactively removing those emails even after delivery, would reduce the threat.

IBM X-Force noted that spammers are increasingly using banking Trojans such as Dridex, TrickBot, and QakBot, and ransomware to target organizations and not just indiscriminately flooding user Inboxes.

“These gangs make sure to spam employees in very pointed bouts of malicious mail, during those times in which potential new victims are more likely to open incoming email,” IBM X-Force researchers wrote.

Cybercrime doesn’t take a day off

While Proofpoint’s analysis focused on email-based attacks and spanned the end of 2016, email wasn’t the only threat vector where the attackers paid attention to the day of the week. An analysis of all the attacks investigated by the eSentire Security Operations Center in the first quarter of 2017 found that some attacks were more common on certain days. The volume of threats, which in eSentire’s report included availability attacks such as distributed denial-of-service (DDoS), fraud, information gathering, intrusion attempts and malicious code, was highest on Fridays, followed by Thursdays. Availability attacks didn’t care about the day of the week, but fraud was dramatically reduced on weekends. Malicious code was most common on Thursdays, and intrusion attempts were higher on Fridays.

Spam volume by hour mon-fri IBM

This chart shows spam volume by hour Monday-Friday. While spammers are active at all hours, spam peaks around 9 a.m. and again at 11 a.m.

Botnets such as Necurs never sleep, and their zombie members can be programmed to spew out spam at any time of day. Spammers also rely on mailers, traffic distribution systems, and hijacked computers to carry out their campaigns. However, spammers don’t just rely on automated tools because they need to keep refining their operations to bypass spam filters and land in victim Inboxes. For example, spammers using the Necurs botnet have recently shifted tactics away from sending Office documents embedded with exploits in favor of delivering fake DocuSign files.

“By learning their methods and tracking their activity, defenders can better manage risk and keep their organizations safer from spam,” IBM X-Force researchers wrote.

There is no day off when it comes to defense. The security tools scrutinizing email messages as they arrive, before letting them reach user inboxes, have to be capable of handling peak volumes without sacrificing performance. But if defenders know that the second half of the week tends to be worse in terms of malware and credential theft, they can put in extra monitoring and scanning to detect possible new infections. By allocating more time in the second half of the week to investigate alerts, security teams may detect attacks sooner, and reduce the potential damage. 

NEW! Download the Fall 2018 issue of Security Smart