Forget casual Friday: keylogger Mondays and ransomware Thursdays are things now

Scrutiny of malware behaviour confirm phishing attacks are following human activity cycles

Users tend to receive the most emails with malicious attachments on Thursdays and they’re most likely to click on messages in the morning purporting to be from the local postal service, according to an analysis of email attacks that has reinforced the importance of time and human factors for cybersecurity protection.

The analysis, contained in Proofpoint’s Human Factor Report 2017 found that 20.2 percent of malicious emails were sent on Thursdays, followed by Tuesdays (17.6 percent); the other weekdays each saw around 15 percent of emails, while the circulation of malicious URLs was far more evenly distributed.

Ransomware attachments were far and away the most common type of attachment, accounting for anywhere from 50m detected attachments on Saturdays to around 225m detected attachments on Thursdays.

Yet while ransomware and credential-stealing ransomware were most common on Thursdays, banking Trojans spiked on Wednesdays instead. This is because employees tend to be paid on Thursdays or Fridays, when they are likely to be accessing their online banking services to check amounts and pay bills. With employees clicking on 1.7 percent of emails purporting to be from financial institutions, large phishing campaigns can easily produce strong results around financial fraud.

Keyloggers and backdoor attacks like the recent Loda malware, meanwhile, were far more common on Mondays. This timing may be linked to employees returning to work after relaxing or exhausting weekends, then working furiously and perhaps a little carelessly to tackle their to-do lists for the week.

The variety and nature of these attacks varies widely. One recent attack targeted Facebook access to build up ‘likes’; another focused on financial analysts working in Russia and its neighbours; and another recent attack leveraged the widely-used Google Docs platform with techniques that “had previously been more associated with state-sponsored threat actors,” Proofpoint senior vice president of cybersecurity strategy Ryan Kalember said in a statement.

“Cybercriminals continue to use carefully engineered messages to steal email account credentials because they are the gateway to all other digital account access…Based on the success of the initial attack, we would expect copycats to try and snare victims with similar campaigns.”

The content of the attacks – which are increasingly being tailored to arouse human curiosity and engagement – has helped cybercriminals target Australian users with increasing regularity. In late May, for example, Mailguard highlighted a scam email purporting to be from the Australian Securities and Investments Commission (ASIC). Another recent attack mimicked the National Australia Bank, telling recipients that their account had been disabled and to click a link to reactivate their account; a similar campaign targeted Westpac customers this week.

Such localised attacks dominated Proofpoint’s analysis of small phishing campaigns, with targeted employees clicking on messages emulating local postal services 78.6 percent of the time. Messages purporting to relate to shared files were also effective, with WeTransfer (25.1 percent), Metro (20.8 percent), Docusign (20.7 percent) and DropSend (18.8 percent) delivering the highest clickthrough rates.

In large campaigns, name-brand online services were proving irresistible to targets with Dropbox (13.6 percent) and Adobe (12.8 percent) proving far more successful even than Google Drive (5.1 percent), Microsoft OWA (2.8 percent), Apple accounts (1.2 percent) and PayPal (0.8 percent).

Time of day was also relevant, with Australian users most likely to click on phishing emails around 9am – suggesting they are clearing their inboxes of email that arrived overnight. United States users, by contrast, were more likely to click on phishing attacks around noon – suggesting that the email clearing was happening during the lunch hour.

Fully 25.5 percent of clicks occur within 10 minutes of an email being sent, and 48.6 percent within an hour. This confirms the small window that security administrators have to intercept and isolate potentially harmful emails.

Australian government figures have suggested that the average phishing and social engineering attack costs $23,209 in damage, with 29 percent causing productivity loss and the average attack taking 23 days to resolve.

Join the experts to discuss your new email exposure in a CSO - Proofpoint Webinar on June 13

Tags FacebookproofpointkeyloggerAustralian Securities and Investments Commission (ASIC)CSO Australiacybersecurity protectioncasual Friday

Show Comments