Disparities in Unique Attacks and Other Updates from New Months of Third-Party Code
Matthew Rostick, Economics B.A., the university of North Carolina at Chapel Hill
The research team at Duke University and The Media Trust have continued to track malware activity from undesired third-party code against internet users. This blog aims to update our readers on the recent activity and trends observed from the data for the months of December and January. I will continue the work of my fellow co-worker Ty Ehuan who has previously discussed essential findings in the data, which can be found here.
Before looking at the new data, it is worth reviewing previous trends. Back in September, we noted that compromised content attacks that were prevalent during the summer months had suddenly ceased for the Duke profiles but were still appearing on the remote worker scans. This pattern has continued as the project has not registered any compromised content scans for Duke students. The number of registered attacks on the Work from Home profiles also decreased but not to the degree of Duke students. This further proves that malicious actors use different attack vectors depending on their target.
Not only does it seem malicious actors are using different vectors, but the malicious incident rate—the percentage of scans that saw an attack—decreased from September to December. In December the Duke student profiles incident rate slightly dropped to 0.07% from the .10% value recorded in September. There was a similar decrease in the malicious incident rate for the Work from Home profiles as they dropped from .19% in September to .14% and .09% in December. The decrease in attacks on Duke student profiles makes sense, given the context of many students heading home for the holidays. However, a decrease in the malicious incident rates for at-home profiles during the holidays is surprising due to the usual increase in online activity such as shopping.
Another area of interest is the number of unique attacks detected. Over the past couple of months, we have seen the number of unique incidents affecting remote workers are significantly higher than those affecting Duke profiles. This continued in December with attacks on the Work from Home IP-2 (Spectrum) having 32 more unique attacks and the Work from Home IP-3 (Google fiber) having 48 more attacks than our Duke student profiles. The disparity between the two grew even greater during January with Work from Home IP-2 and Work from Home IP-3 facing 70 and 71 more unique attacks respectively than Duke student profiles. There was a total of 50 more unique at-home attacks in January compared to December. It is hard to say what might have caused such a jump in unique incidents. However, it is plausible the difference between the Work from Home and Duke student profiles is a result of students being away from school for winter break and thus being a lower priority target.
Overall, the data collected for the months of December and January resulted in few significant changes as previously noted trends stayed relatively stable. We will continue to track malicious attacks on individuals and provide updates on trends observed moving forward.