The business world operates according to many well-entrenched patterns. Work schedules are defined based on labour and customer demands; a majority of day-to-day business activities peak between the prime hours of 9 and 5; and operations need to be adapted to meet ongoing global interaction in multiple time zones.
The same patterns hold true for the spamming community, according to a recent blog by IBM’s X-Force Kassel team, All in a Spammer’s Workweek: Where Do the Busiest Spammers Work Around the Clock? IBM X-Force Kassel is a research team that runs massive spam honeypots to glean data from billions of unsolicited emails.
Despite the best efforts of anti-spam legislation and advanced anti-spam tools and resources, spammers have morphed into an enterprise community of epic proportions. That community has evolved considerably from the early days of relentless Viagra ads populating your inbox, to highly sophisticated, targeted attacks through attachments and other nefarious tools that consistently wreak havoc in banking institutions, healthcare facilities, infrastructure services, and even federal elections.
As the community has grown, spammers have established business processes which closely mirror the attitudes and activities of legitimate enterprise employees. For example: IBM X-Force stated that over 83% of all spam was sent from Monday to Friday, dropping significantly over weekends. The biggest day for spam is Tuesday.
A few other patterns of note: spam peaks around 1am ET (5am UTC – Coordinated Universal Time) during weekdays, with a big drop coming around 4pm ET (8 p.m. UTC). The reason is that spammers start off with Europe before they “follow the sun” in spamming recipients.
Of course it makes sense that spammers follow market forces at work given that potential victims - typically unsuspecting employees – are more likely to open incoming emails at certain times of the business day.
This does not mean spammers are idle outside of standard business hours. There are plenty of spammers and spam bots working graveyard and weekend shifts. The more prolific spammers will also contract out services and resources to blanket different time zones.
The earmarks of spam are also becoming increasingly more difficult to recognize, as spammers are highly adept at discovering new and creative delivery methods to infect endpoints and engage in cybercrime activities. “The reality is, spammers are following other cybercriminal trends, and using the same tools to escalate their activities, and the same doorways to get at people’s inboxes, whether delivering a simple spam pitch or launching a potential ransomware attack,” said Limor Kessem, executive security advisor, IBM Security. “A lot of criminal activities are now coming through spam from organized groups, which means enterprises are facing something much more complicated.”
According to the 2017 IBM X-Force Threat Intelligence Index, spam email remains a primary tool in the attacker’s toolkit. In the past year, spam volume increased 400 percent and nearly 44 percent of spam analyzed by IBM research contained a malicious attachment.
The Fortinet Threat Landscape Report Q2 2017 stated there were 62 million malware detections, with an average daily volume of 677,000. More specifically, there were 16,582 total malware variants, and 2,534 different malware families, with 18 percent of firms seeing mobile malware.
When it comes to malware “families”, the report noted that the most common functionality is downloading/uploading files, followed by dropping other malware. “Downloaders and droppers are a rather interesting breed of malware because they often don’t have a malicious payload within their codebase. They discreetly deliver weapons to the target, but don’t pull the trigger themselves,” the report said.
Adding to the malware challenge is the fact that like any large enterprise, different spamming groups have people with different sets of skills, Kessem said. “Some know traffic distribution, others know how to conceal malicious codes in zip files or images, making it hard for automated security systems to discern what to block and what to let through. Some are experts at reverse engineering things to figure out ways to make spam go through.”
Different groups also go after different targets, she added. There are those that target institutions such as healthcare, as they will care enough to pay a ransom demand. “Some go after SMBs and do more volumes. Others produce less volume but focus on the big payoff. It all depends on the intent, and which group is interested,” Kessem noted.
AI is becoming an increasingly valuable resource in ferreting out spam emails, she added. “Analysts have had to do the job of implementing automation and rules. AI can do that faster, including identifying images which can be used to hide malicious code. It can filter things a lot more effectively and make sure less and less spam makes its way into your inbox.”
While investing in the latest technology to fight spam is absolutely critical, another critical approach for organizations is education and awareness, she said. “There are always going to be weaker links. Employees must be trained in what to expect, what the newest attacks look like, the consequences, and what they need to do. For example, if they receive a business email from the CEO ordering a transfer of funds, the organization should have processes in place to make sure they speak to the CEO before executing.”
Management must lead by example and be vigilant on higher risk days, she advises. “You could declare Tuesday a cybersecurity day and run an educational campaign to go with that. Make sure that it’s something that is right in front of them to see, whether it’s a poster or a coffee mug on their desk. People need to understand the part they play in your security vision.”
Another valuable protective measure is conducting spam simulations to test employee awareness. “It’s not to catch those that are not vigilant. It’s about determining what you can do to make them better .You can use the information you gain to know about what level of training is needed. If you can’t do it on your own, there are phishing and spam simulation vendors that can work with you.”
Ultimately, knowing your enemy is a fundamental part of any risk management strategy, Kessem said. “The more one can tap into their behaviour and patterns, the better the protection.”