Story image

Spammers' work cycles: Mon-Fri with lazy weekends, says IBM X-Force

28 Aug 17

India, South America and China are responsible for the bulk of the world’s spam emails, and most of them hate Mondays and Fridays, according to new research from IBM X-Force.

Amongst data collected from honeypots and monitoring systems between December 2016 to June 2017, researchers found that 83% of spam was sent during weekdays – namely, Tuesday, Wednesday and Thursday. Distribution on Tuesday peaked at around 17% of all mail volumes.

Mail volume dipped slightly on Mondays and Fridays, while on weekends it dipped even lower to between 8% and 9%.

According to X-Force researchers Limor Kessem and Mark Usher, spam volume spikes around 5am UTC (3pm AEST) and stops around 8pm UTC (6am AEST).

“That’s because spammers start off with Europe before they ‘follow the sun’ and start spamming recipients in the U.S,” they explain.

Some spammers doing the ‘weekend shift’ send spam at all hours of the day and night.

The researchers note that spam coincides with particular malware families including Trojans such as Dridex, TrickBot and Qakbot. Attackers using those tools spam employees through malicious mail at times when victims are most likely to open all incoming mail.

 While 30% of spam attacks appear to originate from India and 11% from China, researchers say that it is possible spammers could be operating in a different country but using services and resources from overseas.

“With that, the origin of spam is still the significant factor because malicious actors will typically spam potential victims from within their own country to appear more legitimate and attempt to bypass some geography-based spam filters,” the researchers state.

Botnets are proving to be an important tool that spread spam on behalf of criminal groups. Systems infected with the Necurs botnet can generate spam at all hours of the day, according to the researchers.

“Are spam statistics disconnected from human operators who work to send spam? While it is true that many spam blasts are automated, there is a lot of work that still goes into each carefully planned campaign. Botnet operators are constantly looking for new ways to circumvent spam filters and make it through to recipients’ inboxes without being blocked or their malicious attachments being disabled,” they explain.

The Necurs botnet has morphed more than once – from malicious Microsoft Office documents to malware in .WSF files to loading fake DocuSign attachments.

X-Force says it will keep monitoring spammers and botnets, but those malicious tools will always attempt to infect new systems and make money off cyber crime.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.