If you've ever wondered when spammers are most active, take a look at your work schedule. More than 83% of spam is sent on weekdays, with activity at its highest on Tuesday.
Researchers at IBM X-Force Kassel, which operates spam honeypots and monitoring, dug into six months of data to learn about the days and times when spammers and their spam bots do the most work. The team has access to data from billions of unsolicited emails sent each year.
This research focused on data from December 2016 to June 2017. During this timeframe, the biggest day for spam was Tuesday, followed by Wednesday and Thursday. Activity dropped on weekends across geographies, which were determined using spam senders' IP addresses.
Spammers have been consistently shifting their operating hours to align with potential victims, says Limor Kessem, executive security advisor for IBM Security. As more attackers target businesses, they also adopt the traditional 9-to-5 corporate work schedule.
"It goes hand-in-hand with the fact that a lot of malware spam is directed at company employees," says Kessem of the trend. "More are going after company accounts, it only makes sense they're going to be more integrated into the business week."
The workday starts around 5AM UTC (1AM EST) as spammers start hitting European targets and gradually follow the sun to the United States. It wraps up around 8PM UTC (4PM EST). Some spam continues afterwards but is "likely only in the US," researchers estimate. They also noticed an "undercurrent" of spam ongoing for 24 hours per day across time zones.
While most spam is sent during the week, there are spammers and spam bots operating on weekends, Kessem notes. Those working weekends are active around the clock. Spam peaks begin at midnight, hit a second peak around 1PM (UTC), and dies down around 11PM before starting up again one hour later.
India was the top spam originator in this dataset, with 30% of messages in six months, followed by South America (25%) and China (11%), respectively. Spammers tended to be more active during the day, and drop off at night, across Europe, India, and South America.
Russian spammers were most active on Thursday and Saturday, and didn't change much throughout the week. North America and China had the most consistent spam with no significant drops.
Researchers did consider that criminals could be spamming from a different country while contracting services from overseas. Spam origin is significant because threat actors typically target victims in their own country to appear legitimate and bypass spam filters.
The changes in spammers' schedules coincide with another trend: the use of different malware families, such as banking Trojans and ransomware, to target businesses as opposed to sending spam to indiscriminate users' email accounts. The gangs behind Dridex, TrickBot, Qakbot, and other gang-owned malware, spam employees at times they're likely to be opening email.
Researchers detected an increasing level of sophistication as attackers bypass spam filters to target new victims. Kessem points to the Necurs botnet, which was active earlier in 2017 and generated a wealth of automated spam. Necurs has shifted its tactics in the past few months, from lacing Office documents with malicious exploits to delivering fake DocuSign files.
"Typically spammers will strive to use botnets as much as they can," says Kessem of automation. "It depends on the resources they have available to them, and it depends on the botnets out there servicing spammers."
Botnets are primarily used among cybercrime groups, but spammers employ a variety of techniques including mailers, traffic distribution systems, and hijacked computers to accelerate and broaden the spread of their campaigns.
"The important thing is to understand the adaptation of cybercriminals," Kessem says. Spam is an old threat, but attackers are innovating and changing their tactics to keep it relevant.