In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays. Continuing this theme, let’s widen our dataset to worldwide and focus on the corresponding statistics collected year-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us.
Comparatively, the rate of email-based malicious attachments in 2012 has dropped to nominal levels so far, with relatively smaller spikes above the aggregate average. The majority of email-based attackers appear to enjoy a spring break in late March, as well. Regardless, let’s zoom into the dotted view from Figure 1 and take a closer look at this nominal rate.
At first glance, the periodicity is quite striking. The vertical grey lines indicate every Sunday (UTC). During this timeframe, attacks occur more towards the middle of the week than on the weekends, with Wednesday and Thursday accounting for as much as four times the recalculated average.
It seems these attackers don’t like to work on weekends, either. Monday’s attack level is at average, while the midweek spike tapers off to below average levels by Friday. Lastly, let’s take a closer look at advanced persistent threat (APT) attacks during the first four months.
Of all the unique APT attacks seen during this period, 17% were seen in January, 4% in February, 60% in March, and the remaining 19% in April. While crimeware-level attacks peaked early in March, APT-based attacks spiked around mid-March—the week before traditional spring break season. As expected, we will continue to monitor these trends and provide updates throughout the year.