Christmas Comes Early For Hackers: Email Attack Trends From 3Q2012

In our first half (1H) of 2012 Advanced Threat Report, we looked at various factors related to email-based attack trends, including exploit vector type (e.g., link/attachment), domain frequency, and attachment polymorphism. With the holiday season starting back up, we’ll refocus our attention on all the corresponding threat data collected quarter-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments, who share intelligence back to us.

3Q2012_Email_Attack_Trends-Figure_1

Figure 1. Rate of malicious attachments detected (worldwide) by relative volume (2012 YTD)

Compared to earlier this year, we’ve seen a significant increase in the rate of malicious attachments in the past two months alone. Let’s zoom into the dotted view from Figure 1 and take a closer look. 

3Q2012_Email_Attack_Trends-Figure_2

Figure 2. Rate of malicious attachments detected (worldwide) by relative volume (3Q2012)

For starters, we knew email-based attacks would increase around the start of September. Why? Because in 2011, these types of attacks occurred around the same time and were 1,353% above the average. That said, it’s surprising that this year, we see a 1.5x increase from 2011 to 2012 at 2,042% above the average! Based on this evidence, it appears that the end of August and beginning of September mark the first yearly tsunami of email attacks, with more (but likely smaller) waves expected around major holidays for the rest of the year.

Therefore, if you were a CIO or CISO, when do you think would be the best time to conduct security awareness training regarding email-based threats in your organization? Based on this repeat pattern, I would recommend starting early July or August. Specifically, waiting until October is likely not as effective, when defending against this type of threat.

In our last 1Q2012 Email Attack Trends article, we also looked at how the attack frequency changes depending on the day of the week. This time, we revisit this theme, but look at the day-of-week trends over multiple months.

3Q2012_Email_Attack_Trends-Figure_3

Figure 3. Distribution of malicious attachments detected (worldwide) by day of week (04-2012 to YTD)

As the graph reaches the start of September, Monday clearly approaches maximum saturation, due to the aforementioned spike over the holiday. However, there are other interesting artifacts in this graph. Prior to August, Friday was the least vulnerable day for attacks, overall. Thursday was the most vulnerable in April, followed by the weekends in May, Tues/Wed in June, Mon/Tues/Wed in July/August, and Monday in early September (due to the holiday). While actual workload may vary per incident, Security and IT managers may find these general statistics useful, when developing day-of-week staffing plans over multiple months to address this threat vector. Figure 4 shows another view of the data, which may be clearer to some. 

3Q2012_Email_Attack_Trends-Figure_4

Figure 4. Distribution of malicious attachments detected (worldwide) by day of week (04-2012 to YTD)

Having thoroughly dissected day-of-week correlations, let’s take a closer look at the relevant frequency of APT attacks, roughly during this same time frame.

3Q2012_Email_Attack_Trends-Figure_5

Figure 5. Rate of APT-based attachments, links, and callbacks detected (worldwide) by day of week (05-2012 to YTD)

Figure 5 illustrates graphs the relative rates of APT-based attachments (inbound), malicious links in email (inbound), and callback activity (outbound). The higher the callback line (orange), the more likely the threat actors maintained a successful foothold inside the victim organizations.

Using the average attachment rate as a basis, we see that US Labor Day appears to mark the first major surge in APT-based weaponized attachments (3,262%). About one week later, we see another smaller spike, which may indicate the threat actors were not as successful during the first wave; the corresponding drop in callback rates after 9/17/2012 provide strong evidence of this possible correlation.

Regardless, after reviewing more APT attack stats, it’s clear that weaponized attachments are only a piece of a larger picture. In this time frame, these threat actors largely preferred using malicious spear phish links in email instead of sending weaponized attachments in email. Compared to the average attachment rate, the rate of inbound spear phish links peaked at 11,362% above average on 7/9/2012, which is the first Monday after the usual US Independence Day holiday—probably when most employees returned to work and started clicking on the weaponized links.

As the holiday season approaches, we will continue to monitor these trends and provide additional updates throughout the year.