Even Hackers Don't Like to Work Weekends: Email Attack Trends from Q1 2012

In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays. Continuing this theme, let’s widen our dataset to worldwide and focus on the corresponding statistics collected year-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us.

1Q2012 Email Attack Trends

Figure 1. Rate of malicious attachments detected (worldwide) by relative volume (2H2011 + 2012YTD)

Comparatively, the rate of email-based malicious attachments in 2012 has dropped to nominal levels so far, with relatively smaller spikes above the aggregate average. The majority of email-based attackers appear to enjoy a spring break in late March, as well.  Regardless, let’s zoom into the dotted view from Figure 1 and take a closer look at this nominal rate.

Malicious attachments detected worldwide

Figure 2. Rate of malicious attachments detected (worldwide) by relative volume (2012YTD); average recalculated for this dataset

At first glance, the periodicity is quite striking. The vertical grey lines indicate every Sunday (UTC). During this timeframe, attacks occur more towards the middle of the week than on the weekends, with Wednesday and Thursday accounting for as much as four times the recalculated average.

Average relative rate of malicious attachments detected by day of week

Figure 3. Average relative rate of malicious attachments detected (worldwide) by day of week (in UTC) for (2012YTD)

It seems these attackers don’t like to work on weekends, either. Monday’s attack level is at average, while the midweek spike tapers off to below average levels by Friday. Lastly, let’s take a closer look at advanced persistent threat (APT) attacks during the first four months.

Relative rate of APT attacks delivered via malicious email attachments

Figure 4. Relative rate of advanced persistent threat (APT) attacks delivered via malicious email attachments detected (worldwide) by month for (01-2012 through 04-2012)

Of all the unique APT attacks seen during this period, 17% were seen in January, 4% in February, 60% in March, and the remaining 19% in April. While crimeware-level attacks peaked early in March, APT-based attacks spiked around mid-March—the week before traditional spring break season. As expected, we will continue to monitor these trends and provide updates throughout the year.