Endpoint

11/29/2018
10:30 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Return of Email Flooding

An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud.

A Tsunami of Emails
Also known as subscription bombing or email bombing, email flooding dates back to the late-1990s, when attackers automated programs to scan the web for sign-up forms and insert the emails of those being targeted into numerous subscription forms. The targeted emails would subsequently be sent to thousands of emails in a short period of time, often disabling the account.

Such attacks have been used in the past for harassment or for political purposes. One of the first noted instances was in 1996, when a stockbroker in San Francisco was bombarded with a flood of 25,000 emails that prevented him from using his computer.

Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out automatically with simple scripts at registration forms that aren't protected by CAPTCHA or opt-in email. Today, sophisticated landing pages are built to continuously send automated messages to any valid email address.

A Smokescreen for Fraudulent Transactions
Email bombs are also still used as a means of harassment. In August 2017, an email bomb shut down ProPublica's email for a day, and secure email provider Tutanota was recently hit with a massive bomb that sent 500,000 newsletters to one of its mailboxes. At best, these attacks are a nuisance. But at their worst, they can cripple networks, shutter operations, and lead to a loss of productivity and revenue. 

In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

The end-of-year global security report by AppRiver noted that cybercriminals are increasingly using this so-called "distributed spam distraction" (or DSD) to disguise fraud in real time. The attacks include email subscriptions and text-only messages that bombard the account for a period of 12 to 24 hours, then abruptly end after the real crime has been completed. Email bombs are not only effective but cheap and simple to orchestrate. Services on the Dark Web now enable anyone to bomb an email account with 5,000 messages for as little as $20.

The Underlying Need: A Comprehensive Email Strategy
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This is especially important to stop email flooding, as traditional email safeguards such as secure email gateways and phishing awareness training are not built to mitigate this technique.

Currently, organizations trying to remediate an email flooding attack are asking IT to create scripts and tools to counter the influx of emails that come in bulk or intermittently. While correct in theory, this approach is time consuming and there is no guarantee that it will work. A paper at the Anti-Phishing Working Group noted that one of the most effective measures against email flooding is a layered approach toward detection and throttling through volume and time-based methodologies with phrasal pattern recognition. Authors of the paper said a combination of user email behavior profiling and anomaly detection can better help identify the start of a bombing attack.

This early detection can enable users to maintain functionality of the inbox by limiting new messages and allowing expected messages to come through. In many cases, it may buy just enough time to enable the user or the security operations center team to prevent a wire transfer.

Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. As this old technique makes its way back into the mainstream, those in charge of email security must adopt layered defenses that can detect and respond to an onslaught of messages with the efficiency that legacy tools and script writing cannot. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:20:34 PM
motivations
Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. Or just for the fun of it. They do it because nothing else better to do.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:19:13 PM
Cost
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This will certainly increase TCO, maybe best to go with third party systems such as g-suite or O365.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:17:38 PM
Business
In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. I guess they are mainly after business emails so they can do physhing attack to business network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:16:09 PM
legitimate
Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out We should be able to indentify if a legitimate email doing illegitimate things.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:14:19 PM
Email flooding
Imagine your inbox receiving 15,000 messages over the course of just a few days This happens to me even when I just returned from 2-weeks vacation.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.