Phishers Favor Fridays (and Verizon is selling you out)

Most phishing emails are sent on Fridays and Mondays, and four out of five are related to security. The crooks send out emails on Friday with a “clean” link, and then over the weekend add exploit code to the destination website — by then, the mail has already been delivered and the URL scanned. I suspect sending on a Friday makes people more likely to put off reading the email until the weekend, when the link has changed.

Trust the corporation, the corporation is your friend*: apparently any Verizon subscribers on here should opt-out within the next month, else Verizon will sell your web browsing history and phone location to marketers (for their Databases of Ruin, of course):

* ( )

“Four out of the top five phishing email subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims.

Top five phishing email subject lines: *Based on July – September 2012 research

Your account has been accessed by a third party
(Bank Name) Internet Banking Customer Service Message
Security Measures
Verify your activity
Account security Notification


Most phishing emails are sent on Fridays, followed by Monday and Sunday. The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.

Top phishing days of the week (percentage): *Based on July-August 2012 research

Friday (38.5%)
Monday (30%)
Sunday (10.9%)
Thursday (6.5%)
Tuesday (5.8%)
Wednesday (5.2%)
Saturday (3.2%)

The bad guys know potential victim’s behavioral patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioral elements, phishers know that they can increase their success rate. These guys are masters of lures and understanding their subjects. […]

Recently, attackers responsible for past targeted spear-phishing attacks have added a new wrinkle to the old phishing attack. This one involves lying in wait for targets to come to them, rather than supplying an active lure. Websense Security Labs has identified a number of these attacks, two of which took place prior to June 2012, the date previously disseminated by other researchers as the beginning of this type of attack.

In May 2012, the Websense ThreatSeeker Network detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel’s national security and Middle East affairs.

While we can’t determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field hence making it an attractive place for cybercriminals and nation states to wait for victims of a certain commonality to saunter by and then infect them. This is an effective way for hackers to reach a very targeted group, without sending out socially engineered lures.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: