Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/21/2017
12:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Tuesday: Spammers' Favorite Day of the Week

Spammers are most active when their targets are online, with the highest level of activity on Tuesday, Wednesday, and Thursday.

If you've ever wondered when spammers are most active, take a look at your work schedule. More than 83% of spam is sent on weekdays, with activity at its highest on Tuesday.

Researchers at IBM X-Force Kassel, which operates spam honeypots and monitoring, dug into six months of data to learn about the days and times when spammers and their spam bots do the most work. The team has access to data from billions of unsolicited emails sent each year.

This research focused on data from December 2016 to June 2017. During this timeframe, the biggest day for spam was Tuesday, followed by Wednesday and Thursday. Activity dropped on weekends across geographies, which were determined using spam senders' IP addresses.

Spammers have been consistently shifting their operating hours to align with potential victims, says Limor Kessem, executive security advisor for IBM Security. As more attackers target businesses, they also adopt the traditional 9-to-5 corporate work schedule.

"It goes hand-in-hand with the fact that a lot of malware spam is directed at company employees," says Kessem of the trend. "More are going after company accounts, it only makes sense they're going to be more integrated into the business week."

The workday starts around 5AM UTC (1AM EST) as spammers start hitting European targets and gradually follow the sun to the United States. It wraps up around 8PM UTC (4PM EST). Some spam continues afterwards but is "likely only in the US," researchers estimate. They also noticed an "undercurrent" of spam ongoing for 24 hours per day across time zones.

While most spam is sent during the week, there are spammers and spam bots operating on weekends, Kessem notes. Those working weekends are active around the clock. Spam peaks begin at midnight, hit a second peak around 1PM (UTC), and dies down around 11PM before starting up again one hour later. 

India was the top spam originator in this dataset, with 30% of messages in six months, followed by South America (25%) and China (11%), respectively. Spammers tended to be more active during the day, and drop off at night, across Europe, India, and South America.

Russian spammers were most active on Thursday and Saturday, and didn't change much throughout the week. North America and China had the most consistent spam with no significant drops.

Researchers did consider that criminals could be spamming from a different country while contracting services from overseas. Spam origin is significant because threat actors typically target victims in their own country to appear legitimate and bypass spam filters.

The changes in spammers' schedules coincide with another trend: the use of different malware families, such as banking Trojans and ransomware, to target businesses as opposed to sending spam to indiscriminate users' email accounts. The gangs behind Dridex, TrickBot, Qakbot, and other gang-owned malware, spam employees at times they're likely to be opening email.

Researchers detected an increasing level of sophistication as attackers bypass spam filters to target new victims. Kessem points to the Necurs botnet, which was active earlier in 2017 and generated a wealth of automated spam. Necurs has shifted its tactics in the past few months, from lacing Office documents with malicious exploits to delivering fake DocuSign files.

"Typically spammers will strive to use botnets as much as they can," says Kessem of automation. "It depends on the resources they have available to them, and it depends on the botnets out there servicing spammers."

Botnets are primarily used among cybercrime groups, but spammers employ a variety of techniques including mailers, traffic distribution systems, and hijacked computers to accelerate and broaden the spread of their campaigns.

"The important thing is to understand the adaptation of cybercriminals," Kessem says. Spam is an old threat, but attackers are innovating and changing their tactics to keep it relevant.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jolinamcconaughey
50%
50%
jolinamcconaughey,
User Rank: Apprentice
8/25/2017 | 6:45:27 AM
Re: Work Week Driven
AMAZING
andrewsymond
50%
50%
andrewsymond,
User Rank: Apprentice
8/25/2017 | 5:39:52 AM
Re: Work Week Driven
yeah
warrenzephaniah
50%
50%
warrenzephaniah,
User Rank: Apprentice
8/25/2017 | 5:37:42 AM
Re: Work Week Driven
lol
brucebrennan
50%
50%
brucebrennan,
User Rank: Apprentice
8/25/2017 | 1:58:31 AM
Re: Work Week Driven
yeah
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/23/2017 | 7:43:02 AM
Re: Work Week Driven
@Joe, I definitely know people like that as well. As you stated, it would be interesting to survey employees outside of work email habits.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:41:09 PM
Re: Work Week Driven
@Ryan: I'm curious to know some data on that. I know some people who are exactly like that -- and others who are "always on" -- checking their work email often as soon as they get up in the morning (even if it's a day off).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:40:13 PM
Re: Work Week Driven
I'm not so sure about the "puffery" of it considering the evolution of increasingly more "intelligent" networks. It may, potentially, make sense one day, as we work toward true SONs (self-organized networks), to have heightened strictness of certain measures during times when the network is more prone to attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/22/2017 | 5:38:43 PM
Online activity
This is insightful considering that this seems to track with social-media engagement -- which, perforce, is also linked to levels of online activity. Tuesday is typically the biggest day for online engagement, in general.
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
8/22/2017 | 10:14:16 AM
Re: Work Week Driven
True enough - the threats are a 24-7-365 reality so this is really a puff piece.
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
8/22/2017 | 9:43:48 AM
New information?
This doesn't seem like new information in terms of when Spam is sent, I could have derived this report from scanning my inbox.  In addition, even after reading the IBM source article, it isn't exactly clear what the originator information means.  Does India lead in sending Spam around the world or as the article implies, Spam tends to be sent from the target email's country of origin which would seem to infer that Indians receive more Spam than any other nationality.  And by quite a large margin.  If this is the case, given how much US offshore development is sourced from India an interesting article would be to use this data to start an examination of the state of security in the Indian Tech sector.
Page 1 / 2   >   >>
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.