Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say.
Timing is everything. Attackers pay as close attention to when they send out their booby-trapped emails as they do in crafting how these emails look. Malicious email attachment message volumes spike more than 38 percent on Thursdays over the average weekday volume, Proofpoint said in its Human Factor Report, which analyzed malicious email traffic in 2016. Wednesdays were the second highest days for malicious emails, followed by Mondays, Tuesdays and Fridays. Weekends tend to be low-volume days for email-borne threats, but that doesn’t mean there aren’t any.
“Attackers do their best to make sure messages reach users when they are most likely to click: at the start of the business day in time for them to see and click on malicious messages during working hours,” Proofpoint researchers wrote in the report.
Malicious emails can arrive any day of the week, but attackers clearly prefer certain days of the week for certain threat categories. Keyloggers and backdoors tend to kick off the week on Mondays, and Wednesdays are peak days for banking Trojans. Ransomware messages tend to be sent between Tuesdays and Thursdays. Point-of-sale Trojans arrive later in the week, on Thursdays and Fridays, when security teams have less time to detect and mitigate new infections before the weekend. Nearly 80 percent of point-of-sale campaigns in 2016 occurred on one of those two days.
“With few exceptions, ransomware was the only category of malware sent on weekends,” Proofpoint said in the report.
Security teams need to be particularly on alert on Thursdays — malicious attachments, malicious URLs, ransomware and point-of-sale infections all favor that day. Credential stealer campaigners also favor Thursdays. There was a clear increase in malicious attachments being sent on Thursdays, but emails with malicious URLs — the most common vector for phishing attacks designed to steal credentials — were constant throughout the week, with a slight increase on Tuesdays and Thursdays.
Attackers understand employee email habits and know that hitting employees with a well-crafted email at the just the right time will bring higher success rates. Most attack emails are sent four to five hours after the start of the business day and peak around lunchtime. Proofpoint’s analysis found that nearly 90 percent of clicks on malicious URLs occur within the first 24 hours of delivery, with a half of them occurring within an hour. A quarter of the clicks occur in just ten minutes.
The time between the email’s arrival in the victim’s inbox and actually clicking on the malicious link is shortest during business hours — between 8 a.m. and 3 p.m. Eastern — in the United States and Canada. The United Kingdom and the rest of Europe had similar patterns, as well, but there were some distinct regional differences. Clicking on malicious links by French users peaked around 1 p.m., but Swiss and German users tended to peak within the early hours of the workday. UK employees spaced out their clicks throughout the day, but there was a clear drop in activity after 2 p.m.
Sign up for CIO Asia eNewsletters.