You are going through your email, when suddenly forty new messages flood into your Inbox. These emails are all addressed to you, and they are coming by the dozens, and then hundreds, then even thousands. The emails are in a variety of different languages. They keep coming all day, and then the next day as well. Marking them as junk mail or spam doesn’t help, and blocking the sender doesn’t help either. Just what is happening? This is a malicious attack called an email bomb.
I was contacted recently by a client who had this very scenario playing out in her email inbox. At first I assumed it was the typical barrage of undeliverable email bounce-backs that show up when your email address was used to spoof a sender in a spam campaign. I’ve seen it before and even had it happen to me twice. This can often be stopped by writing an email rule to send all emails with “undeliverable” in the subject line into the Junk mail folder.
As I looked at the emails, it was clear this was not the case. First, the emails were in a number of languages including French, German, Russian, Japanese, Polish, Kazakh, Ukrainian, Spanish, Greek, in addition to the occasional English language email. Using Google Translate, it became apparent that these were confirmation emails from websites and newsletters thanking my client for signing up. Someone was using software or a bot to sign her up to thousands of websites and newsletters. Fortunately, most of these emails had a confirmation link, which she was not clicking on, and so in most cases there were not going to be a continuous barrage of newsletters following this initial onslaught of confirmation emails. But not all sign-ups had a confirmation link, so her future will include unsubscribing from those services that did not.
There was no clear way to write an email filtering rule to block these emails, there was no common word or phrase to use to categorize the messages. Plus they were in dozens of languages. We tried to increase the sensitivity of the spam filter that was provided by her email service (Comcast) but it was already set to the maximum. We briefly discussed abandoning the email account, but decided that was too disruptive. All that was left was for her to ride it out.
Since most cyber exploits exist to enrich the attacker, I was confused about the motivation of the attacker. Was this purely a revenge attack from a technically savvy Facebook troll? Or was there some way to monetize the email bomb? As I began to research this exploit, one of the first articles I found said that the email bomb was used as a smoke screen to hide fraudulent transactions in hijacked online accounts or the use of stolen credit cards. In the hundreds of bogus emails, the sales transaction emails would be lost or easily overlooked. In fact, the writer of the article found an unauthorized transaction on her Costco account, but the purchase had been made using another person’s credit card. I found that to be pretty clever and devious.
I found a phone app called Email Bomber that could be used for this type of attack, but other research said that email bombing services can be found on the Dark Web for $5 per thousand emails. Other articles said a little script writing would be enough to start the attack. The script searches the Internet looking for sign-up forms, and then adds the email address of the victim, and they are automatically subscribed to a website or newsletter. WordPress sites are popular because the sign-up forms often lack rudimentary security challenges such as a Turing test or CAPTCHA.
What can you do if you fall victim to one of these attacks?
- Keep a sharp eye out for transaction emails, and fraudulent transactions on your credit cards, bank and brokerage accounts, and shopping sites.
- Make sure your spam filtering is set to the maximum setting.
- DO NOT click on any confirmation links or any other links on the emails to prevent the sending of even more offer emails and newsletters.
- DO NOT open any attachments, just to be on the safe side.
- If you start receiving emails and newsletters from the sign-up campaign, you should go ahead and unsubscribe. This should stop any further contact from that source.
- When all else fails, you can change your email address, although there are big problems with this option, since you have to alert all your contacts, and change your email information everywhere it is on file.
There is more information about this exploit in the articles listed below. Be careful and stay safe.
More information:
- Resolving an Email Bomb – Metafilter
- Email bomb – Wikipedia
- Email bob mitigation – Proton Mail
- Email Bombs Disguise Fraud – Distributed Spam Distraction – App River
- How Journalists Fought Back Against Crippling Email Bombs – Wired.com
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com