Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/21/2017
12:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Tuesday: Spammers' Favorite Day of the Week

Spammers are most active when their targets are online, with the highest level of activity on Tuesday, Wednesday, and Thursday.

If you've ever wondered when spammers are most active, take a look at your work schedule. More than 83% of spam is sent on weekdays, with activity at its highest on Tuesday.

Researchers at IBM X-Force Kassel, which operates spam honeypots and monitoring, dug into six months of data to learn about the days and times when spammers and their spam bots do the most work. The team has access to data from billions of unsolicited emails sent each year.

This research focused on data from December 2016 to June 2017. During this timeframe, the biggest day for spam was Tuesday, followed by Wednesday and Thursday. Activity dropped on weekends across geographies, which were determined using spam senders' IP addresses.

Spammers have been consistently shifting their operating hours to align with potential victims, says Limor Kessem, executive security advisor for IBM Security. As more attackers target businesses, they also adopt the traditional 9-to-5 corporate work schedule.

"It goes hand-in-hand with the fact that a lot of malware spam is directed at company employees," says Kessem of the trend. "More are going after company accounts, it only makes sense they're going to be more integrated into the business week."

The workday starts around 5AM UTC (1AM EST) as spammers start hitting European targets and gradually follow the sun to the United States. It wraps up around 8PM UTC (4PM EST). Some spam continues afterwards but is "likely only in the US," researchers estimate. They also noticed an "undercurrent" of spam ongoing for 24 hours per day across time zones.

While most spam is sent during the week, there are spammers and spam bots operating on weekends, Kessem notes. Those working weekends are active around the clock. Spam peaks begin at midnight, hit a second peak around 1PM (UTC), and dies down around 11PM before starting up again one hour later. 

India was the top spam originator in this dataset, with 30% of messages in six months, followed by South America (25%) and China (11%), respectively. Spammers tended to be more active during the day, and drop off at night, across Europe, India, and South America.

Russian spammers were most active on Thursday and Saturday, and didn't change much throughout the week. North America and China had the most consistent spam with no significant drops.

Researchers did consider that criminals could be spamming from a different country while contracting services from overseas. Spam origin is significant because threat actors typically target victims in their own country to appear legitimate and bypass spam filters.

The changes in spammers' schedules coincide with another trend: the use of different malware families, such as banking Trojans and ransomware, to target businesses as opposed to sending spam to indiscriminate users' email accounts. The gangs behind Dridex, TrickBot, Qakbot, and other gang-owned malware, spam employees at times they're likely to be opening email.

Researchers detected an increasing level of sophistication as attackers bypass spam filters to target new victims. Kessem points to the Necurs botnet, which was active earlier in 2017 and generated a wealth of automated spam. Necurs has shifted its tactics in the past few months, from lacing Office documents with malicious exploits to delivering fake DocuSign files.

"Typically spammers will strive to use botnets as much as they can," says Kessem of automation. "It depends on the resources they have available to them, and it depends on the botnets out there servicing spammers."

Botnets are primarily used among cybercrime groups, but spammers employ a variety of techniques including mailers, traffic distribution systems, and hijacked computers to accelerate and broaden the spread of their campaigns.

"The important thing is to understand the adaptation of cybercriminals," Kessem says. Spam is an old threat, but attackers are innovating and changing their tactics to keep it relevant.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jolinamcconaughey
50%
50%
jolinamcconaughey,
User Rank: Apprentice
8/25/2017 | 6:45:27 AM
Re: Work Week Driven
AMAZING
andrewsymond
50%
50%
andrewsymond,
User Rank: Apprentice
8/25/2017 | 5:39:52 AM
Re: Work Week Driven
yeah
warrenzephaniah
50%
50%
warrenzephaniah,
User Rank: Apprentice
8/25/2017 | 5:37:42 AM
Re: Work Week Driven
lol
brucebrennan
50%
50%
brucebrennan,
User Rank: Apprentice
8/25/2017 | 1:58:31 AM
Re: Work Week Driven
yeah
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/23/2017 | 7:43:02 AM
Re: Work Week Driven
@Joe, I definitely know people like that as well. As you stated, it would be interesting to survey employees outside of work email habits.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:41:09 PM
Re: Work Week Driven
@Ryan: I'm curious to know some data on that. I know some people who are exactly like that -- and others who are "always on" -- checking their work email often as soon as they get up in the morning (even if it's a day off).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:40:13 PM
Re: Work Week Driven
I'm not so sure about the "puffery" of it considering the evolution of increasingly more "intelligent" networks. It may, potentially, make sense one day, as we work toward true SONs (self-organized networks), to have heightened strictness of certain measures during times when the network is more prone to attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:38:43 PM
Online activity
This is insightful considering that this seems to track with social-media engagement -- which, perforce, is also linked to levels of online activity. Tuesday is typically the biggest day for online engagement, in general.
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
8/22/2017 | 10:14:16 AM
Re: Work Week Driven
True enough - the threats are a 24-7-365 reality so this is really a puff piece.
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
8/22/2017 | 9:43:48 AM
New information?
This doesn't seem like new information in terms of when Spam is sent, I could have derived this report from scanning my inbox.  In addition, even after reading the IBM source article, it isn't exactly clear what the originator information means.  Does India lead in sending Spam around the world or as the article implies, Spam tends to be sent from the target email's country of origin which would seem to infer that Indians receive more Spam than any other nationality.  And by quite a large margin.  If this is the case, given how much US offshore development is sourced from India an interesting article would be to use this data to start an examination of the state of security in the Indian Tech sector.
Page 1 / 2   >   >>
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...