IBM: Targeted Spam Malware Sticks To Working Hours

Spammers may use automated delivery techniques, but manual work is also involved in fine-tuning their methods, all the better to trick users into opening their malicious attachments, according to a new study.

IBM’s X-Force security research lab said spam remains a primary means of delivering malware, with 44 percent of the junk emails analysed from over a six-month period containing attack code.

Targeted timing

Ransomware overwhelmingly dominated, making up 85 percent of malicious junk messages. Spam volumes have increased by a factor of four over the past year.

Malware is increasingly targeted at particular individuals and organisations, and IBM found spam delivery times are targeted as well, with volumes rising at the beginning of the day on European time (5 a.m. GMT). A big drop came at the end of the day, European time (8 p.m. GMT), and another at the end of the day on the US west coast (7 p.m. PST, or 1 a.m. GMT).

Junk email levels were highest during the day, too, with 83 percent sent on weekdays. The busiest day was Tuesday, followed by Wednesday and Thursday.

The most spam originated from India, followed by South America and China, but IBM said spammers might outsource their deliveries to IP addresses in those countries.

Most spam is delivered by botnets, made up of internet-connected computers whose users aren’t aware they’ve been hijacked, so the actual systems involved could be located anywhere and controlled by someone in another country.

Hand-tailored techniques

The spread of delivery times is a way of targeting users when they’re likely to be in the office, since many malicious attachments are aimed at stealing data from organisations such as businesses and governments, IBM said.

“These gangs make sure to spam employees in very pointed bouts of malicious mail, during those times in which potential new victims are more likely to open incoming email,” X-Force said in an advisory.

IBM’s analysis found that in spite of the large-scale automation involved, attackers also put hands-on work into helping their attachments slip past spam filters.

For instance, malware sent through the large Necurs botnet has changed delivery tactics frequently in the past few months, moving from infected Microsoft Office documents to PDF files embedded with a malicious Office document, to malicious .WSF files and then fake DocusSign attachments.

Malware ‘cash laundormat’

“Malware is more sophisticated than ever, and its delivery methods are not falling short,” IBM said in the advisory. “Spammers and spam botnets launch millions of malicious messages every day, hoping to get through to potential victims, infect new endpoints, invade another organisation and keep rolling the cash laundromat that drives cybercrime.”

Researchers have pointed to a significant shift in malware delivery that occurred this year with the release of exploits such as EternalBlue, allegedly developed by the NSA and leaked by the Shadow Brokers hacker group in April.

EternalBlue, which directly targets vulnerable SMB software found in Microsoft Windows and as such doesn’t require a user to open an infected attachment, was used in May to spread the WannaCry ransomware and the following month the NotPetya malware.

Do you know all about security in 2017? Try our quiz!