Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The targets are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails — as many as 60,000 during a 12- to 24-hour period — that contain no links, no graphics, and no advertisements. “[The contents are] nothing but mash-ups of words and phrases from literature,” he wrote.

[…] the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim’s credentials.

This doesn’t seem to be a widespread problem currently, and I expect that many of the major ISPs will identify this as a mailbomb and stop the mail. As many of these mails are coming from botnets, too, many ISPs will block the mail during the SMTP transaction. I think for most people, there isn’t a huge risk. However, that doesn’t mean we shouldn’t be aware.


  1. Martijn Grooten says

    Brian Krebs wrote about this last year:

    He says that the crooks claim delivery rates of 60% or more. That sounds credible to me. And then it’s far more than a nuisance.

    You’re right that this shouldn’t be a concern for most people, but I wouldn’t be so sure that many ISPs/filters will (be able to) block these emails.

  2. Brian says

    I saw this form of abuse for the first time last week. I was really confused by the content I was seeing [ There are no links or images, nothing actually malicious just a ton of seemingly random text.

    The good news is that some anti-spam products caught the messages. CloudMark Authority Engine detected the message properly as SPAM, but SpamAssassin totally whiffed scoring the message at 0 on default scoring.

    Tracing the messages and watching the patterns was interesting. Messages were sent in small batches, about 5 to 10 messages per batch all to the same email address. The source was a bot (who’s IP was listed in the CBL) which pushed messages into another bot that which was then relaying the messages through an exchange server on the network for final delivery. The delivery IP had an excellent reputation and little damage was done my the small amount of messages processing. Odds are a lot of these messages were reaching the inbox.

    There was no major uptick in SMTP/network traffic because of the small rate of messages being generated and sent. Only about 150 to 250 messages processed a day out of this particular compromised point. The failure rate of the messages was really very low, although some ISP had shut down the receiving accounts already.

    It will be interesting to see if this becomes pervasive.


Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments