Distributed spam attacks are when an attacker floods a user’s inbox with thousands of emails, without warning, in order to make a fraudulent charge undetected. Troy Gill, threat hunter and manager of security research, Zix discusses how hackers are able to gain this kind of access, signs that your browser session has been hijacked, and what steps you can take to mitigate these kinds of attacks.Â
We all are familiar with phishing scams, where businesses and users alike will receive emails mimicking services you already use to try and steal your credentials. What many people are not aware of is that there’s a completely different kind of email scam happening to people every day referred to as â€œdistributed spam attacksâ€ or â€œemail bombers.â€Â Â
What Are Distributed Spam Attacks and Email Bombers?Â
Imagine you’re at work, going about your business when all a sudden our email inbox is flooded with over 5,000 emails, which renders your inbox useless. You have no idea how it happened or why, all you can think to do is try to clear out your inbox enough to be able to resume work, but this is exactly what attackers want you to do. The goal of this kind of Denial of Service (DoS) attack is that while you try to frantically clear your inbox, you’re missing legitimate notices of fraudulent charges and reports of suspicious activity on your accounts.Â
How Do Email Bombers Initiate Distributed Spam Attacks?Â
While distributed spam attack methods vary, most of the cases our research team has observed use legitimate newsletter sign-ups from uncompromised websites. The email bombers utilize automated bots that crawl the web searching for newsletter sign-up pages or forms that don’t require a form of live-user authentication.Â
Once the email bomb order is placed, scheduled, and begins,Â the bots will sign a user up for the list of various newsletters all at once. This causes the users’ inbox to be flooded immediately, and while for larger corporations this may cause nothing more than frustrations, for smaller businesses that rely on their email to stay afloat, this kind of attack can be detrimental.Â
What Is the End Goal for Email Bombers?
During distributed spam attacks, our security research team has observed a range of fraudulent purchases, including airline tickets, Best Buy pick-up orders, and a growing number of Apple store orders. The use of pick-up orders versus online shipping orders is a way to further conceal the attacker’s identity by hiring mules to go pick up packages on their behalf, while the spam attack is in its early stages.Â Â
Bombing for Hire on the Dark WebÂ
Attackers will maintain lists of these vulnerable sites and, in some cases, will even advertise how often they update their attack lists and set a price for others to purchase the attackers services. Some of the attacks for hire are initiated out of spite for a specific individual, but there are cases where the user’s information can end up on various malware lists, which can cause the user to be subject to multiple attacks for years to come.Â Â Â
Pricing structures vary for these attacks, however, one of the most â€œreputableâ€ sellers who has been around the longest charges approximately $15 per 5,000 messages, and some will offer discounted rates when purchased in bulk â€“ such as $30 for 20,000 messages and so on. Below are two samples of advertisements posted by hacking groups that were pulled from the Dark Web.Â
The number of DSD attacks we are seeing committed has increased since our research started, going from once a week to multiple times a day, but when you look back on the numerous data breaches that have occurred during the pandemic, this rise is understandable.Â
What Can Be Done To Stop These Attacks?Â
While there are tools available to mitigate the impact of these attacks by placing strict filters on the email address until account activity returns to a normal level, there’s no way to stop it from happening altogether. That said, to reduce the risk of an attacker gaining access to your financial information to make a fraudulent charge, you should implement security tools like the use of multi-factor authentication for passwords, never using the same password twice, and making sure it’s a solid mix of characters, cases, symbols, and numbers. You should also maximize the length of your password, 8 characters is a minimum but 10-12 is better.Â Â
If you want to shore up your accounts even further and reduce the impact the attack has on your day-to-day operations, designate a specific email address used only for sites you make purchases from. This way, when an email bomber attains your email address, it will only impact one portion of your inbox. While it should go without saying, you should never use your work email account to make personal purchases.