Flood of spam email? It may be a screen for fraud
'Distributed Spam Distraction' designed to cover the tracks of online thieves
January 24, 2013 — CSO — If you get hit with an avalanche of obvious spam email, that's one problem. But it may also be an effort to distract you from a much bigger problem: fraudulent purchases and bank transactions made with your stolen identity and credentials.
Fred Touchette, a security analyst manager at AppRiver, wrote in a blog post recently of a Distributed Spam Distraction (DSD) technique, saying that he is seeing it several times a year. "It hasn't quite caught on yet, but you never know," he wrote.
Touchette told CSO Online that he coined the term after observing it for the past several years. "I was trying to think of something descriptive and catchy, along the lines of DDoS (Distributed Denial of Service), since they operate in a similar fashion," he said.
The targets are individuals, whose identity and personal information the thieves already have. The victims' email inboxes suddenly get flooded with thousands upon thousands of emails -- as many as 60,000 during a 12- to 24-hour period -- that contain no links, no graphics, and no advertisements. "[The contents are] nothing but mash-ups of words and phrases from literature," he wrote.
Screen shots of several emails show what is essentially gibberish. "Every email is different as well, nearly perfectly randomized, though if you comb through them carefully, you will begin to see some repeated content," Touchette wrote. "The emails themselves are obviously botnet-delivered too, because all of the senders are different, usually freemail providers, the sending IPs are all different, and the rate at which they're arriving would make one's head spin."
Although the attack, while under way, makes it almost impossible to use one's email account, the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim's credentials.
[See also: Global effort stops half the world's spam]
"The attackers, just before they make the illegal transactions, turn on this deluge of spam email in order for these very important emails to get lost in the flood. Once the bad guys are done with their activities they'll stop the flood," Touchette wrote.
Others have noticed the technique, but like Touchette, they say it is not yet common. "At the moment, we have only heard about sporadic attacks and have not seen these attacks as a group or trend yet," said Liam O Murchu, manager of Security Response Operations for NAM for Norton by Symantec.
Murchu said the distraction or flooding technique is not confined to email either. "We have also heard reports of users receiving continuous phone calls in order to prevent the fraud department of banks from reaching the victim," he said, "and although details are sparse right now, we have also heard reports about this smoke-screen method being used to hide text messages from banks."
Neither Touchette nor Murchu have statistics on how successful the technique is, where the attacks originate or how many have been victimized, but they said it can be very successful when aimed at those who don't know what is going on and are overwhelmed by the amount of email.
"If victims don't realize there's something else going on, they can be tempted to ignore all of that day's email or simply delete their inbox en masse," Touchette said. "Once they do that, they won't find out about the attack until their monthly statements arrive, which could be too late to do anything about it."
He said the best way to prevent such attacks is to practice good online safety, which includes regular monitoring of accounts for any suspicious activity, keep separate accounts for specific uses, never use a debit card for an online transaction, and don't conduct any sensitive transaction over public or unencrypted Wi-Fi.
If the flood of email does start, however, Touchette wrote in his blog post that the best thing to do is ignore the email and go directly to your account activity. "Possibly give any that may be at risk a call in advance, which hich may sound daunting but not as daunting as sifting through tens of thousands of emails over a 24-hour period waiting for the one with the clue," he said.
"These often need to be caught fast so that they can be stopped at the financial institution before they're finalized," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding