Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say.
Timing is everything. Attackers pay as close attention to when they send out their booby-trapped emails as they do in crafting how these emails look. Malicious email attachment message volumes spike more than 38 percent on Thursdays over the average weekday volume, Proofpoint said in its Human Factor Report, which analyzed malicious email traffic in 2016. Wednesdays were the second highest days for malicious emails, followed by Mondays, Tuesdays and Fridays. Weekends tend to be low-volume days for email-borne threats, but that doesn’t mean there aren’t any.
“Attackers do their best to make sure messages reach users when they are most likely to click: at the start of the business day in time for them to see and click on malicious messages during working hours,” Proofpoint researchers wrote in the report.
Malicious emails can arrive any day of the week, but attackers clearly prefer certain days of the week for certain threat categories. Keyloggers and backdoors tend to kick off the week on Mondays, and Wednesdays are peak days for banking Trojans. Ransomware messages tend to be sent between Tuesdays and Thursdays. Point-of-sale Trojans arrive later in the week, on Thursdays and Fridays, when security teams have less time to detect and mitigate new infections before the weekend. Nearly 80 percent of point-of-sale campaigns in 2016 occurred on one of those two days.
“With few exceptions, ransomware was the only category of malware sent on weekends,” Proofpoint said in the report.
Security teams need to be particularly on alert on Thursdays — malicious attachments, malicious URLs, ransomware and point-of-sale infections all favor that day. Credential stealer campaigners also favor Thursdays. There was a clear increase in malicious attachments being sent on Thursdays, but emails with malicious URLs — the most common vector for phishing attacks designed to steal credentials — were constant throughout the week, with a slight increase on Tuesdays and Thursdays.
Attackers understand employee email habits and know that hitting employees with a well-crafted email at the just the right time will bring higher success rates. Most attack emails are sent four to five hours after the start of the business day and peak around lunchtime. Proofpoint’s analysis found that nearly 90 percent of clicks on malicious URLs occur within the first 24 hours of delivery, with a half of them occurring within an hour. A quarter of the clicks occur in just ten minutes.
The time between the email’s arrival in the victim’s inbox and actually clicking on the malicious link is shortest during business hours — between 8 a.m. and 3 p.m. Eastern — in the United States and Canada. The United Kingdom and the rest of Europe had similar patterns, as well, but there were some distinct regional differences. Clicking on malicious links by French users peaked around 1 p.m., but Swiss and German users tended to peak within the early hours of the workday. UK employees spaced out their clicks throughout the day, but there was a clear drop in activity after 2 p.m.
While it’s important to block malicious messages from reaching the inbox in the first place, the other side of email defense is to be able to flag already-delivered messages and block those links after realizing they were malicious. The longer a malicious URL is in the inbox, the more likely it is that the user will click on it. Being able to block those links, or proactively removing those emails even after delivery, would reduce the threat.
While Proofpoint’s analysis focused on email-based attacks and spanned the end of 2016, email wasn’t the only threat vector where the attackers paid attention to the day of the week. An analysis of all the attacks investigated by the eSentire Security Operations Center in the first quarter of 2017 found that some attacks were more common on certain days. The volume of threats, which in eSentire’s report included availability attacks such as distributed denial-of-service (DDoS), fraud, information gathering, intrusion attempts and malicious code, was highest on Fridays, followed by Thursdays. Availability attacks didn’t care about the day of the week, but fraud was dramatically reduced on weekends. Malicious code was most common on Thursdays, and intrusion attempts were higher on Fridays.
There is no day off when it comes to defense. The security tools scrutinizing email messages as they arrive, before letting them reach user inboxes, have to be capable of handling peak volumes without sacrificing performance. But if defenders know that the second half of the week tends to be worse in terms of malware and credential theft, they can put in extra monitoring and scanning to detect possible new infections. By allocating more time in the second half of the week to investigate alerts, security teams may detect attacks sooner, and reduce the potential damage.