Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/29/2018
10:30 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Return of Email Flooding

An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud.

A Tsunami of Emails
Also known as subscription bombing or email bombing, email flooding dates back to the late-1990s, when attackers automated programs to scan the web for sign-up forms and insert the emails of those being targeted into numerous subscription forms. The targeted emails would subsequently be sent to thousands of emails in a short period of time, often disabling the account.

Such attacks have been used in the past for harassment or for political purposes. One of the first noted instances was in 1996, when a stockbroker in San Francisco was bombarded with a flood of 25,000 emails that prevented him from using his computer.

Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out automatically with simple scripts at registration forms that aren't protected by CAPTCHA or opt-in email. Today, sophisticated landing pages are built to continuously send automated messages to any valid email address.

A Smokescreen for Fraudulent Transactions
Email bombs are also still used as a means of harassment. In August 2017, an email bomb shut down ProPublica's email for a day, and secure email provider Tutanota was recently hit with a massive bomb that sent 500,000 newsletters to one of its mailboxes. At best, these attacks are a nuisance. But at their worst, they can cripple networks, shutter operations, and lead to a loss of productivity and revenue. 

In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

The end-of-year global security report by AppRiver noted that cybercriminals are increasingly using this so-called "distributed spam distraction" (or DSD) to disguise fraud in real time. The attacks include email subscriptions and text-only messages that bombard the account for a period of 12 to 24 hours, then abruptly end after the real crime has been completed. Email bombs are not only effective but cheap and simple to orchestrate. Services on the Dark Web now enable anyone to bomb an email account with 5,000 messages for as little as $20.

The Underlying Need: A Comprehensive Email Strategy
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This is especially important to stop email flooding, as traditional email safeguards such as secure email gateways and phishing awareness training are not built to mitigate this technique.

Currently, organizations trying to remediate an email flooding attack are asking IT to create scripts and tools to counter the influx of emails that come in bulk or intermittently. While correct in theory, this approach is time consuming and there is no guarantee that it will work. A paper at the Anti-Phishing Working Group noted that one of the most effective measures against email flooding is a layered approach toward detection and throttling through volume and time-based methodologies with phrasal pattern recognition. Authors of the paper said a combination of user email behavior profiling and anomaly detection can better help identify the start of a bombing attack.

This early detection can enable users to maintain functionality of the inbox by limiting new messages and allowing expected messages to come through. In many cases, it may buy just enough time to enable the user or the security operations center team to prevent a wire transfer.

Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. As this old technique makes its way back into the mainstream, those in charge of email security must adopt layered defenses that can detect and respond to an onslaught of messages with the efficiency that legacy tools and script writing cannot. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:20:34 PM
motivations
Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. Or just for the fun of it. They do it because nothing else better to do.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:19:13 PM
Cost
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This will certainly increase TCO, maybe best to go with third party systems such as g-suite or O365.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:17:38 PM
Business
In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. I guess they are mainly after business emails so they can do physhing attack to business network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:16:09 PM
legitimate
Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out We should be able to indentify if a legitimate email doing illegitimate things.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:14:19 PM
Email flooding
Imagine your inbox receiving 15,000 messages over the course of just a few days This happens to me even when I just returned from 2-weeks vacation.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.