CYBEREYE—Commentary

As summer ends, phishing season is on the horizon

Labor Day is behind us, rush-hour traffic is back to normal and workers have returned to their desks, looking forward to the winter holiday season. So have the hackers and phishers.

As in much of the corporate world, cyber criminals apparently rely on fourth-quarter revenues to boost their income for the year. After a lazy summer, security companies are predicting that fall and winter will see heightened online activity, with the holiday season offering particularly good pickings for the bad guys.

“The number of phishing attacks we observe tends to follow a natural pattern of high and low points, with the high points often occurring in the latter half of the year, or what might be referred to as ‘phishing season,’” a report from Symantec states.

It used to be assumed that the annual lull-and-boom cycle was because of the activity of the stereotypical school-age hacker. With summer jobs and plenty of other activities to keep them busy from June through August, they were not spending as much time online. But when they returned to school with new laptop PCs and high-speed campus connections, they resumed pounding perimeter defenses with gusto. But with the professionalization and criminalization of hacking and phishing, this theory no longer holds up. Today, ’tis the online holiday shopping season that seems to attract their attention.

Tufin Technologies, an Israel-based security company, found similar results in a survey of hackers attending last month’s DefCon conference in Las Vegas. Hackers, like the rest of us, apparently take it easy during the summer.

“The survey reveals that the Christmas and New Year holidays are popular with hackers targeting western countries,” said Tufin’s chief security architect, Michael Hamelin. “Hackers know this is when people relax and let their hair down, and many organizations run on a skeleton staff over the holiday period.”

The survey found that 81 percent of respondents were more active during the winter holidays than over the summer, with 56 percent citing Christmas as the best time for corporate hacking and 25 percent opting for New Year's Eve.

The survey numbers should be taken with a grain of salt. DefCon attendees represent only a small selection of the hacker population to begin with, and the Tufin survey is based on just 79 respondents, so the results probably aren’t statistically significant. But that doesn’t mean they aren’t informative.

Hackers, like the rest of us, apparently shun weekend work when they can, 85 percent saying they work primarily during the workweek. But 52 percent say they work during the evening hours.

Probably most significantly, the hackers agreed that all the security technology in the world will not protect a network from a badly configured firewall and that regulatory compliance does not make you secure. Only 15 percent of those responding to Tufin said that compliance initiatives have made hacking more difficult, and 15 percent say the initiatives have made hacking easier.

So keep your patches up-to-date and your fingers crossed, don’t talk to strangers, and don’t click on suspicious links. And good luck over the holidays.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Sep 15, 2009 Jeffrey S

Yes Hackers are human and need vacation time just like the rest of us. I imagine another peek period for malicious phishing is around tax-time. Easy pickins with all the stressed-out, last-minute filers. On-line seasonal shoppers are adopting safer habits. I have noticed my friends and co-workers frequenting and sharing sites that offer easy-navigation, customer service, and secure shopping carts, ie. Extended Validation SSL. More are filtering the spam to trash, to avoid phishing but probably the toughest habit to break is jumping on a link instead of loading the url in your browser, oh and changing passwords regularly. /Guilty/ Hackers seem to smell lazy. Takes one to know one I guess.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above