DIGITAL LIFE

Email Bombers Strike With 50,000 Messages To Hide iPhone Theft

There are all sorts of cyber threats that we have to be wary of, whether they come via our smartphone or laptop screens. The email bomb attack, however, remains one of the most dangerous and little-reported, but ignorance could be very costly indeed. Here’s what you need to know.

What Is An Email Bomb Attack?...An email bomb attack is when a malicious actor floods your email account with messages with nefarious intent. That intent could be as simple as causing an annoyance, some kind of revenge for perceived or actual harm to them, but it is more likely to be in order to hide something much more dangerous and costly: fraud.

Imagine waking up to a notification screen that has gone off the charts, an email inbox that has thousands of new unread messages when ordinarily you might expect a couple of dozen. Imagine this flood of email messages just doesn’t stop. That’s an email bomb in action.

Earlier this year, a data scientist at a fraud prevention company, Katherine Wood, awoke to just such a scenario. Their email inbox, described as usually being “today and tranquil” was a hot mess of English, Chinese, Japanese, Russian and Polish language messages from people they didn’t know and related to account creation on sites they had never visited and subscriptions to newsletters they had never heard of. This was, it quickly became apparent, more than just a spam filter that had stopped working. This was an email bomb. “I was under some kind of attack,” Wood wrote(https://www.signifyd.com/blog/email-bomb-spam-attacks/), the purpose of which was "to bury evidence of an unauthorized transaction through sheer, overwhelming volume.” In Wood’s case the fraud was discovered to be the purchase of a new iPhone 15 from the Apple Store, a purchase made using the victim’s email address and credit card number.

Federal Agency Issues Email Bomb Security Alert...The U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center has issued an official alert regarding the defense and mitigations from email bombing attacks following such incidents targeting the healthcare and public health sectors. Beyond the denial of service, or service interruption, aspects of such an attack, which in and of themselves could prove critical given the sector involved, there are often more malicious intentions. Just as with the fraud against Wood, the email bombers could be looking to drown out important email messages such as ones alerting to attempted account sign-ins or compromise.

That HC3 sector alert included some useful information about the types of email bombing attacks that can take place.These can use a variety of methodologies including:

Registration Bombs: The newsletter sign-ups and account creation confirmations as mentioned earlier.

Large Attachment Attacks: These involve sending multiple emails with large attachments to overwhelm server storage space and make it unresponsive.

Link Listing Attacks: Flooding the target mailbox with maliciously subscribed content.

Email Bombing As A Service: The dark web and criminal forums offer email bombing services starting at just $10 for a few thousand messages and rising according to the volume required.

What To Do If You Fall Victim To An Email Bomb Attack...The truth of the matter is that you won’t be able to stop an email bombing attack when it is in full flow. Hopefully, your email provider will have decent spam filtering that at least moves most of the activity to your junk folder. However, you should not just ignore these emails because, as already stated, they are usually there as a smokescreen to nefarious actions. 

While you are eating for the flood to stop, and it will, I would advise that you attempt to speed-read through the subject lines if nothing else. Keep an eye out for those that confirm an order for a product or service. Do not, however, use any links in such emails to visit the site concerned to see what has been bought and try to put a stop on it. 

These could lead you to further fraud attempts. Instead, make a note of the email and visit the site using your normal browser and manually entering the URL yourself, email a known support address to call a known support number. Similarly, keep a close eye on bank and credit card statements for any unrecognized transactions.

Davey Winder