The SPAM Bomb
The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss. The victim will suddenly receive a very large volume of emails; possible coming in faster than they can be deleted. The root cause is also relatively simple; someone has harvested the related email address and signed it up to multiple subscription services. The ‘confirmation’ process that many sites put in place is relatively easy for bots to overcome and the scammer will also have access to numerous sites that lack such precautions.
The culprit could be a prankster; possibly an acquaintance or someone the victim has annoyed on an online engine. On the other hand the email traffic could be hiding a fraud within the flood of messages. Faced with an extremely large volume of messages a common reaction is to delete them in bulk. A single confirmation of a genuine transaction within such a host will then have been ignored. In an article from Signifyd; Katherine Wood describes how confirmation of a fraudulent Apple Store purchase was hidden amongst 50,000 emails with more coming in at a rate of 10 or 12 per minute. Katherine was able to contact her bank to recover the funds but the perpetrator had already picked up the iPhone, purchased in her name, from a local Apple Store.
Although an email client’s SPAM filter will have caught many messages it is unlikely to catch them all and any scam related content may end up in the SPAM folder. The fraudster will have harvested or bought emails and associated credit card details and used the email bomb to hide the fraud. Account details that are linked to direct purchases such as Amazon (where a credit card does not need to be entered to buy if the user is signed in) are also a risk. The destination address could be changed or the criminal could use the sender’s tracking to steal the package. There might also be a risk within the emails themselves. Reputable subscription services will include a ‘unsubscribe’ option within any communications. This should be the best way to terminate any such service. Fake subscriptions could be hidden amongst the flood of SPAM with the ‘unsubscribe’ option linking to malware sites. The only truly safe way to stop these messages is to go directly to the genuine site and unsubscribe from there. This would be a lengthy process for each of several thousand emails; any of which could be in a language or script that the recipient is unfamiliar with.
The ultimate solution is to create a new email and change all accounts that use the original for financial transactions. These should be transferred to the new email and any suspect purchases cancelled. Systems such as 2FA work against the victim here as possible fraud needs to be tracked down quickly but confirmation of changes could require additional verification stages. Bank transactions also need to be checked for unexpected transactions. The compromised email account will still need to be monitored as a fraudster might weaponise the scam some time after an initial flood of messages in the, reasonable, assumption that the victim has given up on checking.
There are some precautions that can be put in place on an email client to reduce the effect of email bombs on an account:
- Mark known suspect emails as junk and block the sender.
- Add known good addresses to a ‘safe senders list’.
- Create rules or adjust junk settings to send messages with certain addresses or keywords directly to SPAM.
- Many clients, including Outlook and Thunderbird, have options for safe links. These will disable links within emails or replace hyperlinks with their underlying page link.