IBM X-Force Kassel is a research team that operates massive spam honeypots and monitoring, gleaning data from billions of unsolicited emails every year. With such large amounts of spam coming in, we can more easily map trends. We looked at one recently when analyzing the spammer’s workweek.

Our goal in this analysis was to delve into six months of data to gain insight into when spammers and their spam bots do the most work, by weekday and hour range. We also aimed to look at the countries where spam originates to figure out where the hardest-working spammers go to launch their malicious schemes.

To examine these geospecific tendencies, we used the IP address of the spam’s sender to define the source geography. Our data range was December 2016 to June 2017.

A Daily Grind

The first finding we looked at is the weekly trend of how spam works. In the past, we’ve found that spammers are an organized bunch, and they plan their workdays around business hours. The data in our traps confirmed that this trend still holds true. Over 83 percent of all spam was sent during weekdays, with significant drops on weekends across the different geographies where spam messages originated. Over the six-month period we analyzed, the biggest day for spam was Tuesday, followed by Wednesday and Thursday.

Figure 1: Total spam distribution per daily volumes

Read the white paper: Adapt to new phishing threats and assess websites automatically

Office Hours

Looking at the hour range during which most spam was sent out, we observed a hike right around 5 a.m. Coordinated Universal Time (UTC) during weekdays, which is only 1 a.m. on the U.S. East Coast. That’s because spammers start off with Europe before they follow the sun and start spamming recipients in the U.S. The big drop in spam comes at around 8 p.m. UTC, or 4 p.m. EST, but some spamming lingers thereafter, likely only in the U.S. at that point.

This trend coincides with the focus of different malware families, such as banking Trojans and ransomware, to target organizations and not just indiscriminate users on their email accounts. Trojans such as Dridex, TrickBot and QakBot are cybergang-owned malware designed to rob business bank accounts. As such, these gangs make sure to spam employees in very pointed bouts of malicious mail, during those times in which potential new victims are more likely to open incoming email.

In the different zones on the globe, X-Force data showed that spammers like to get their sleep at night, even though there was an undercurrent of some spam activity that persists 24 hours a day.

Figure 2: Spam distribution per hour of the day — Weekdays (Monday-Friday, UTC)

Those Who Work Weekends Work at Night

X-Force data shows that although the lion’s share of spam is indeed sent during the week, there are still spammers and spam bots working the weekend shifts. Those who operate during those days appear to be sending unsolicited email at all hours of the day and night. The spam peaks start at midnight, with a second peak at about 1 p.m. It starts dying down around 11 p.m., only to start up again at midnight.

Figure 3: Spam distribution per hour of the day —Weekends (Saturday-Sunday, UTC)

Most Active Spam Sources

Using the data to look at the geographic source of the spam messages, we did consider the fact that criminals could be spamming from an entirely different country but contracting out services and resources from across the seas. With that, the origin of spam is still the significant factor because malicious actors will typically spam potential victims from within their own country to appear more legitimate and attempt to bypass some geography-based spam filters.

Looking at the numbers, the top originator of spam in the past six months was India. Runners up were South America and China, respectively.

Figure 4: Top spam originators over the analyzed six-month period (December 2016 to June 2017)

Daily trends in some countries were similar. For example, the entire European region showed the same trend of sending spam during the daytime Monday through Friday and dropping in the evening. India and South America also looked pretty similar: Most spam is sent during the day, and the volumes drop at night.

The trend was a tad different in Russia, where most spamming took place Thursday and Saturday, without any major changes on all other days of the week. It seems like spammers sending email from Russian IP addresses are active throughout the week.

However, the similarity found between North America and China was somewhat surprising. In those regions, spam was the most constant and consistent throughout the week, without a notable drop at any point.

Botnets Never Sleep

One of the biggest botnets in the world is the Necurs botnet, a major threat that spreads spam for some of the most notorious cybergangs on the internet. Botnets such as Necurs never sleep, and their zombie members can be programmed to spew out spam at any time of day.

Are spam statistics disconnected from human operators who work to send spam? While it is true that many spam blasts are automated, there is a lot of work that still goes into each carefully planned campaign. Botnet operators are constantly looking for new ways to circumvent spam filters and make it through to recipients’ inboxes without being blocked or their malicious attachments being disabled.

If we look at Necurs again, this botnet alone has been shuffling its delivery tactics very frequently in the past few months, moving from lacing Microsoft Office documents with malicious exploits, to poisoned PDF files embedded with a laced Office file, to sending malware in .WSF files. Most recently, the cybergang has been delivering fake DocuSign attachments just to keep evading security, look legitimate and deliver the nefarious payload.

Spammers Are More Sophisticated Than Ever

Studying the trends that move illicit spamming and the mechanisms that enable cybercrime is an essential part of threat intelligence and situational awareness for any organization.

Nowadays, malware is more sophisticated than ever, and its delivery methods are not falling short. Spammers and spam botnets launch millions of malicious messages every day, hoping to get through to potential victims, infect new endpoints, invade another organization and keep rolling the cash laundromat that drives cybercrime. By learning their methods and tracking their activity, defenders can better manage risk and keep their organizations safer from spam.

IBM X-Force research continually updates research findings, threat intelligence and indicators of compromise (IoCs) on X-Force Exchange. Join us today to keep yourself and your organization up to date, and to collaborate with the largest security teams in the world to fight cybercrime.

Read the white paper: Adapt to new phishing threats and assess websites automatically

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…