12:55 PM
Connect Directly

Tuesday: Spammers' Favorite Day of the Week

Spammers are most active when their targets are online, with the highest level of activity on Tuesday, Wednesday, and Thursday.

If you've ever wondered when spammers are most active, take a look at your work schedule. More than 83% of spam is sent on weekdays, with activity at its highest on Tuesday.

Researchers at IBM X-Force Kassel, which operates spam honeypots and monitoring, dug into six months of data to learn about the days and times when spammers and their spam bots do the most work. The team has access to data from billions of unsolicited emails sent each year.

This research focused on data from December 2016 to June 2017. During this timeframe, the biggest day for spam was Tuesday, followed by Wednesday and Thursday. Activity dropped on weekends across geographies, which were determined using spam senders' IP addresses.

Spammers have been consistently shifting their operating hours to align with potential victims, says Limor Kessem, executive security advisor for IBM Security. As more attackers target businesses, they also adopt the traditional 9-to-5 corporate work schedule.

"It goes hand-in-hand with the fact that a lot of malware spam is directed at company employees," says Kessem of the trend. "More are going after company accounts, it only makes sense they're going to be more integrated into the business week."

The workday starts around 5AM UTC (1AM EST) as spammers start hitting European targets and gradually follow the sun to the United States. It wraps up around 8PM UTC (4PM EST). Some spam continues afterwards but is "likely only in the US," researchers estimate. They also noticed an "undercurrent" of spam ongoing for 24 hours per day across time zones.

While most spam is sent during the week, there are spammers and spam bots operating on weekends, Kessem notes. Those working weekends are active around the clock. Spam peaks begin at midnight, hit a second peak around 1PM (UTC), and dies down around 11PM before starting up again one hour later. 

India was the top spam originator in this dataset, with 30% of messages in six months, followed by South America (25%) and China (11%), respectively. Spammers tended to be more active during the day, and drop off at night, across Europe, India, and South America.

Russian spammers were most active on Thursday and Saturday, and didn't change much throughout the week. North America and China had the most consistent spam with no significant drops.

Researchers did consider that criminals could be spamming from a different country while contracting services from overseas. Spam origin is significant because threat actors typically target victims in their own country to appear legitimate and bypass spam filters.

The changes in spammers' schedules coincide with another trend: the use of different malware families, such as banking Trojans and ransomware, to target businesses as opposed to sending spam to indiscriminate users' email accounts. The gangs behind Dridex, TrickBot, Qakbot, and other gang-owned malware, spam employees at times they're likely to be opening email.

Researchers detected an increasing level of sophistication as attackers bypass spam filters to target new victims. Kessem points to the Necurs botnet, which was active earlier in 2017 and generated a wealth of automated spam. Necurs has shifted its tactics in the past few months, from lacing Office documents with malicious exploits to delivering fake DocuSign files.

"Typically spammers will strive to use botnets as much as they can," says Kessem of automation. "It depends on the resources they have available to them, and it depends on the botnets out there servicing spammers."

Botnets are primarily used among cybercrime groups, but spammers employ a variety of techniques including mailers, traffic distribution systems, and hijacked computers to accelerate and broaden the spread of their campaigns.

"The important thing is to understand the adaptation of cybercriminals," Kessem says. Spam is an old threat, but attackers are innovating and changing their tactics to keep it relevant.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
8/22/2017 | 8:38:09 AM
Re: Work Week Driven
Agreed around your IBM assessment. Unfortunately though, just because something seems logical doesn't mean the data will always support that. I do think resources could have been better utilized elsewhere instead of this study. Now that data confirms "Spammers' favorite day of the week", besides the fun factoid, there really won't be any difference in day to day security activities so what was the point.
User Rank: Ninja
8/22/2017 | 8:33:13 AM
Re: Work Week Driven
Don't know about commercial, but in general makes perfect sense.  Long weekends can translate into a Friday off or a Monday off, so T-W-Th are the days when maximum number of workers are IN the office doing their work.  It should not have taken IBM to mount a huge study to figure out this basic fact.  
User Rank: Ninja
8/22/2017 | 8:15:09 AM
Work Week Driven
It's not surprising that the trend correlates with the corporate work week. A large majority of employees would not check their work email outside of the office. I wonder for commercial email domains if there is any discernable trend?
<<   <   Page 2 / 2
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message.
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field.
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size.
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote characters, leading to a stack-based buffer overflow.