IBM X-Force Kassel is a research team that operates massive spam honeypots and monitoring, gleaning data from billions of unsolicited emails every year. With such large amounts of spam coming in, we can more easily map trends. We looked at one recently when analyzing the spammer’s workweek.

Our goal in this analysis was to delve into six months of data to gain insight into when spammers and their spam bots do the most work, by weekday and hour range. We also aimed to look at the countries where spam originates to figure out where the hardest-working spammers go to launch their malicious schemes.

To examine these geospecific tendencies, we used the IP address of the spam’s sender to define the source geography. Our data range was December 2016 to June 2017.

A Daily Grind

The first finding we looked at is the weekly trend of how spam works. In the past, we’ve found that spammers are an organized bunch, and they plan their workdays around business hours. The data in our traps confirmed that this trend still holds true. Over 83 percent of all spam was sent during weekdays, with significant drops on weekends across the different geographies where spam messages originated. Over the six-month period we analyzed, the biggest day for spam was Tuesday, followed by Wednesday and Thursday.

Figure 1: Total spam distribution per daily volumes

Read the white paper: Adapt to new phishing threats and assess websites automatically

Office Hours

Looking at the hour range during which most spam was sent out, we observed a hike right around 5 a.m. Coordinated Universal Time (UTC) during weekdays, which is only 1 a.m. on the U.S. East Coast. That’s because spammers start off with Europe before they follow the sun and start spamming recipients in the U.S. The big drop in spam comes at around 8 p.m. UTC, or 4 p.m. EST, but some spamming lingers thereafter, likely only in the U.S. at that point.

This trend coincides with the focus of different malware families, such as banking Trojans and ransomware, to target organizations and not just indiscriminate users on their email accounts. Trojans such as Dridex, TrickBot and QakBot are cybergang-owned malware designed to rob business bank accounts. As such, these gangs make sure to spam employees in very pointed bouts of malicious mail, during those times in which potential new victims are more likely to open incoming email.

In the different zones on the globe, X-Force data showed that spammers like to get their sleep at night, even though there was an undercurrent of some spam activity that persists 24 hours a day.

Figure 2: Spam distribution per hour of the day — Weekdays (Monday-Friday, UTC)

Those Who Work Weekends Work at Night

X-Force data shows that although the lion’s share of spam is indeed sent during the week, there are still spammers and spam bots working the weekend shifts. Those who operate during those days appear to be sending unsolicited email at all hours of the day and night. The spam peaks start at midnight, with a second peak at about 1 p.m. It starts dying down around 11 p.m., only to start up again at midnight.

Figure 3: Spam distribution per hour of the day —Weekends (Saturday-Sunday, UTC)

Most Active Spam Sources

Using the data to look at the geographic source of the spam messages, we did consider the fact that criminals could be spamming from an entirely different country but contracting out services and resources from across the seas. With that, the origin of spam is still the significant factor because malicious actors will typically spam potential victims from within their own country to appear more legitimate and attempt to bypass some geography-based spam filters.

Looking at the numbers, the top originator of spam in the past six months was India. Runners up were South America and China, respectively.

Figure 4: Top spam originators over the analyzed six-month period (December 2016 to June 2017)

Daily trends in some countries were similar. For example, the entire European region showed the same trend of sending spam during the daytime Monday through Friday and dropping in the evening. India and South America also looked pretty similar: Most spam is sent during the day, and the volumes drop at night.

The trend was a tad different in Russia, where most spamming took place Thursday and Saturday, without any major changes on all other days of the week. It seems like spammers sending email from Russian IP addresses are active throughout the week.

However, the similarity found between North America and China was somewhat surprising. In those regions, spam was the most constant and consistent throughout the week, without a notable drop at any point.

Botnets Never Sleep

One of the biggest botnets in the world is the Necurs botnet, a major threat that spreads spam for some of the most notorious cybergangs on the internet. Botnets such as Necurs never sleep, and their zombie members can be programmed to spew out spam at any time of day.

Are spam statistics disconnected from human operators who work to send spam? While it is true that many spam blasts are automated, there is a lot of work that still goes into each carefully planned campaign. Botnet operators are constantly looking for new ways to circumvent spam filters and make it through to recipients’ inboxes without being blocked or their malicious attachments being disabled.

If we look at Necurs again, this botnet alone has been shuffling its delivery tactics very frequently in the past few months, moving from lacing Microsoft Office documents with malicious exploits, to poisoned PDF files embedded with a laced Office file, to sending malware in .WSF files. Most recently, the cybergang has been delivering fake DocuSign attachments just to keep evading security, look legitimate and deliver the nefarious payload.

Spammers Are More Sophisticated Than Ever

Studying the trends that move illicit spamming and the mechanisms that enable cybercrime is an essential part of threat intelligence and situational awareness for any organization.

Nowadays, malware is more sophisticated than ever, and its delivery methods are not falling short. Spammers and spam botnets launch millions of malicious messages every day, hoping to get through to potential victims, infect new endpoints, invade another organization and keep rolling the cash laundromat that drives cybercrime. By learning their methods and tracking their activity, defenders can better manage risk and keep their organizations safer from spam.

IBM X-Force research continually updates research findings, threat intelligence and indicators of compromise (IoCs) on X-Force Exchange. Join us today to keep yourself and your organization up to date, and to collaborate with the largest security teams in the world to fight cybercrime.

Read the white paper: Adapt to new phishing threats and assess websites automatically

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today