Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/29/2018
10:30 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Return of Email Flooding

An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud.

A Tsunami of Emails
Also known as subscription bombing or email bombing, email flooding dates back to the late-1990s, when attackers automated programs to scan the web for sign-up forms and insert the emails of those being targeted into numerous subscription forms. The targeted emails would subsequently be sent to thousands of emails in a short period of time, often disabling the account.

Such attacks have been used in the past for harassment or for political purposes. One of the first noted instances was in 1996, when a stockbroker in San Francisco was bombarded with a flood of 25,000 emails that prevented him from using his computer.

Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out automatically with simple scripts at registration forms that aren't protected by CAPTCHA or opt-in email. Today, sophisticated landing pages are built to continuously send automated messages to any valid email address.

A Smokescreen for Fraudulent Transactions
Email bombs are also still used as a means of harassment. In August 2017, an email bomb shut down ProPublica's email for a day, and secure email provider Tutanota was recently hit with a massive bomb that sent 500,000 newsletters to one of its mailboxes. At best, these attacks are a nuisance. But at their worst, they can cripple networks, shutter operations, and lead to a loss of productivity and revenue. 

In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

The end-of-year global security report by AppRiver noted that cybercriminals are increasingly using this so-called "distributed spam distraction" (or DSD) to disguise fraud in real time. The attacks include email subscriptions and text-only messages that bombard the account for a period of 12 to 24 hours, then abruptly end after the real crime has been completed. Email bombs are not only effective but cheap and simple to orchestrate. Services on the Dark Web now enable anyone to bomb an email account with 5,000 messages for as little as $20.

The Underlying Need: A Comprehensive Email Strategy
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This is especially important to stop email flooding, as traditional email safeguards such as secure email gateways and phishing awareness training are not built to mitigate this technique.

Currently, organizations trying to remediate an email flooding attack are asking IT to create scripts and tools to counter the influx of emails that come in bulk or intermittently. While correct in theory, this approach is time consuming and there is no guarantee that it will work. A paper at the Anti-Phishing Working Group noted that one of the most effective measures against email flooding is a layered approach toward detection and throttling through volume and time-based methodologies with phrasal pattern recognition. Authors of the paper said a combination of user email behavior profiling and anomaly detection can better help identify the start of a bombing attack.

This early detection can enable users to maintain functionality of the inbox by limiting new messages and allowing expected messages to come through. In many cases, it may buy just enough time to enable the user or the security operations center team to prevent a wire transfer.

Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. As this old technique makes its way back into the mainstream, those in charge of email security must adopt layered defenses that can detect and respond to an onslaught of messages with the efficiency that legacy tools and script writing cannot. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:14:19 PM
Email flooding
Imagine your inbox receiving 15,000 messages over the course of just a few days This happens to me even when I just returned from 2-weeks vacation.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:16:09 PM
legitimate
Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out We should be able to indentify if a legitimate email doing illegitimate things.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:17:38 PM
Business
In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. I guess they are mainly after business emails so they can do physhing attack to business network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:19:13 PM
Cost
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This will certainly increase TCO, maybe best to go with third party systems such as g-suite or O365.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:20:34 PM
motivations
Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. Or just for the fun of it. They do it because nothing else better to do.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14832
PUBLISHED: 2019-10-15
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVE-2017-10022
PUBLISHED: 2019-10-15
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing ...
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.