A bit over 6 years ago, in December, people interested in security and anti-fraud were bracing themselves.With every major retailer having tremendous spikes in sales, they were expecting a malware attack surge, similar to those observed in previous years in December. Criminals in those days wanted to hide in the volumes. Everyone just hoped it wouldn’t be too close to Christmas eve. We’d rather open gifts and eat turkey with the family. That year, the rally started mid December. Defences were prepared, some losses were taken, but nothing too bad. All was OK.
A year later, we were ready again. Sitting in SOC’s watching the 3D earth models spinning around and eyeballing the incident feeds for red lines, when something interesting happened:
Some yellow feed lines. But, nothing bad really.
By Christmas Eve we were increasingly anxious. “There will surely be a late Christmas rally this year, we’ll have to spend Christmas in the SOC, and we’re going to miss out on the turkey!”
But nothing happened.
In the second week of January, malware assisted fraud campaigns returned. It was almost as if all the criminals had gone on a skiing holiday. They campaigned until early summer. Then, like in December, they took a leave of absence. It occurred to some, that criminals had adopted a more 9 to 5 mentality. We did some digging and didn’t find exclusive evidence, but a plausible correlation for sure.
The pattern repeated itself, and until this day, we find attacks decrease due to criminals going on a holiday, and some 9-to-5 behavior too.
As criminal organisations are growing, they’re professionalizing, creating procedures, squeezing margins, generating ROI, reducing risk. And also, they’re reusing old malware, decelerating innovation, becoming 9-to-5, managing their supply chains, feeding their families, going on holidays and becoming more predictable.
Is that such a bad thing?
If only criminals were the sole adversaries, their predictability would make defense a lot easier. Alas, obviously, there are other motives. As hacktivism, espionage and nation state attacks increase; we can expect more nasty, out-of-the-box attacks. We would even wager that the next disruptive attack won’t come from criminals.
When we work on those previously unknown attack types, we will think: better the devil you know.