Thanksgiving in the United States is considered by many to mark a good time of year to gain insight into enterprise access and threats.
From an enterprise point of view, Thanksgiving is when many American users will be on vacation, but may still working from home, in some capacity. It's interesting to see users' access patterns as they pertain to enterprise applications, such as email or other SaaS platforms, during the holiday.
At the same time, Thanksgiving also marks the kick off of the holiday shopping season. Shopping events like Black Friday and Cyber Monday - where retailers offer numerous deals on products and services - create opportunities for criminals looking to abuse user engagement and their holiday spirit. Today's post will show the story behind these access patterns and threats and explore the challenges associated with them on modern enterprise networks.
Today, the concept of a network perimeter is loosely defined. This is because the perimeter now includes users who are connected at anytime, from anywhere, using devices for both work and personal function.
Enterprise Access Distribution Patterns in the US
Image 1: Users distribution in the US during Thanksgiving vs. previous Monday
The research behind today's post draws from Akamai's visibility into enterprise application access between the first week of November through the first week of December 2019. A deeper analysis of the data was done during the Thanksgiving weekend and the days prior; here are some of the findings and insights:
Accessibility during the holiday weekend: While the usage of enterprise applications was reduced significantly, users still continued to access enterprise applications during the holiday time.
The working day prior to Thanksgiving: While the number of users two days prior to the holiday were very similar (November 26th and 27th), the distribution of access location increased (November 27th). We suspect the reason for that relates to the fact that many employees are working from home. We can see that on November 27th, users across the US were accessing enterprise applications from 1,340 different cities vs. 1,141 cities on the 26th.
Image 2: Enterprise users access trends users before and prior Thanksgiving
Mobile phones accessibility: In Figure 3, we can see that the percentage of users accessing enterprise applications over Thanksgiving was more than double that of a normal working day. On November 28th, 5.2% of users were using mobile phones (iOS 2.9%, Android 2.3%). On November 25th, the count was only 2% of the users. The increased usage of mobile phones over holidays and weekends seemingly represents users' need to continue to be connected to enterprise applications from anywhere at any time.
Weekends access overtime: We can see persistent access to enterprise applications over the weekends. This points to a continuous trend in the way users are accessing enterprise applications over non traditional working days.
Image 3: Percentage of users accessing using mobile phone devices over time
Threats Analysis in the US
Looking at the number of phishing victims in the US during the Thanksgiving holiday (before, during, and after), we see a significant increase in the number of phishing victims at the start of the holiday, with up to a 100% increase in some cases.
Image 4: Number of phishing victims, sample of US traffic
A deeper dive into the phishing websites and the associated abused brands during this timeframe shows that high tech brands were most frequently targeted. However, right around Thanksgiving and continuing on past Cyber Monday, we can see an increase in E-commerce and Media brands being targeted. E-commerce and Media brands are a more popular target during this time frame.
Image 5: Number of phishing victims per targeted brand industry, sample of US traffic
Looking into phishing campaigns during the holiday window shows criminals continuing to use social engineering techniques that make phishing websites seem to be as real as possible. By using certain techniques, criminals leverage a victim's engagement with the phishing website or brand, creating a trust level that leads to victims giving away sensitive and private information.
The most common techniques we were able to see being used are:
Typosquatting and Brandjacking: Criminals are using the same, or similar brand names, in newly registered domains to lure victims in with a false sense of trust. We could also see domain names containing keywords such as "coupons", "vouchers", "gift", "Thanksgiving", and "Christmas" being used in these campaigns.
Quiz scams: We observed a continued trend of phishing websites using fake surveys and quizzes to better engage victims, as well as the usage of social networks to distribute these campaigns rapidly.
Users expect to have access to network applications regardless of location or device, regardless if it is a weekend or holiday.
At the same time, criminals are not staying idle, and the volume and velocity of their attacks continue to grow. They're taking advantage of the holiday season and the lowered defenses of consumers looking for a bargain, to obtain personal and sensitive information, or trick them into installing malicious applications or visit malicious websites.
We can no longer assume threats that are associated with consumers are less relevant to those associated with enterprise operations. As we observed, users access enterprise and personal applications on the same device, often at the same time, and are frequently working while out of the office.
From our observations, we can clearly see that many enterprise networks are starting to allow their users more freedom to access resources outside of the corporate network. This means they're ready to take the next step and evolve to an environment under the concept of Zero Trust, which exists without VPNs and where users and assets are protected no matter what's happening on the device.