Spammers' work cycles: Mon-Fri with lazy weekends, says IBM X-Force
India, South America and China are responsible for the bulk of the world’s spam emails, and most of them hate Mondays and Fridays, according to new research from IBM X-Force.
Amongst data collected from honeypots and monitoring systems between December 2016 to June 2017, researchers found that 83% of spam was sent during weekdays – namely, Tuesday, Wednesday and Thursday. Distribution on Tuesday peaked at around 17% of all mail volumes.
Mail volume dipped slightly on Mondays and Fridays, while on weekends it dipped even lower to between 8% and 9%.
According to X-Force researchers Limor Kessem and Mark Usher, spam volume spikes around 5am UTC (3pm AEST) and stops around 8pm UTC (6am AEST).
“That’s because spammers start off with Europe before they ‘follow the sun’ and start spamming recipients in the U.S,” they explain.
Some spammers doing the ‘weekend shift’ send spam at all hours of the day and night.
The researchers note that spam coincides with particular malware families including Trojans such as Dridex, TrickBot and Qakbot. Attackers using those tools spam employees through malicious mail at times when victims are most likely to open all incoming mail.
While 30% of spam attacks appear to originate from India and 11% from China, researchers say that it is possible spammers could be operating in a different country but using services and resources from overseas.
“With that, the origin of spam is still the significant factor because malicious actors will typically spam potential victims from within their own country to appear more legitimate and attempt to bypass some geography-based spam filters,” the researchers state.
Botnets are proving to be an important tool that spread spam on behalf of criminal groups. Systems infected with the Necurs botnet can generate spam at all hours of the day, according to the researchers.
“Are spam statistics disconnected from human operators who work to send spam? While it is true that many spam blasts are automated, there is a lot of work that still goes into each carefully planned campaign. Botnet operators are constantly looking for new ways to circumvent spam filters and make it through to recipients’ inboxes without being blocked or their malicious attachments being disabled,” they explain.
The Necurs botnet has morphed more than once – from malicious Microsoft Office documents to malware in .WSF files to loading fake DocuSign attachments.
X-Force says it will keep monitoring spammers and botnets, but those malicious tools will always attempt to infect new systems and make money off cyber crime.