Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Email Bombing: Why You Need to be Concerned

Over the last few months, the topic of email bombing has been brought to our attention multiple times, mostly queries from customers that go something like this:

“I have a few users experiencing some sort of spam attack, where they are receiving thousands of random registration or subscription emails. What do I do, and why is it occurring? Help!”

This scenario is known as email or subscription bombing. Attackers, using various tools and services, subject the victim to a tsunami of emails, usually as a cover for other fraudulent activities. This email flood consists of thousands of legitimate registration or subscription notifications from different websites across the globe, in many different languages.

The attackers use automated tools that target websites that do not require any sort of authentication to subscribe. Input the victim email address, and hey, presto, instant unwanted email. Do this across a few thousand different websites and you have an email bomb.

Figure 1. An example of an unwanted registration email used in an email bomb. Victims will receive thousands of different types of these confirmation emails in multiple different languages.
Figure 1. An example of an unwanted registration email used in an email bomb. Victims will receive thousands of different types of confirmation emails in multiple different languages.

Figure 2 Email bombing attack showing wide range of notifications
Figure 2: Email bombing attack showing a wide range of notifications.

 

Email Bombing Tools and Services

Attackers use email bombing tools and services that are freely and cheaply available in underground forums. Figure 2 shows an example of a recently advertised tool called “DiddyBomber,” which costs $8 per day or $30 per month.

Figure 3. An email Bombing tool advertisement on an underground forum.
Figure 3. An email Bombing tool advertisement on an underground forum.

DiddyBomber is an easily used Telegram-based bot tool that requires only a few simple commands.

Figure 4. DiddyBomber Telegram usage commands.
Figure 4. DiddyBomber Telegram usage commands.

Trustwave MailMarshal eliminates threats before they breach your security.

Learn More

Why do Email Bombs Occur?

Email bombing is not new, but given the recent increased reports we have received, the practice seems to be on the rise. So why do threat actors use email bombs? Well, there are multiple reasons, but there are two key reasons that we will explore here.

 

A Smokescreen for Fraudulent Activity

The first and more established reason for email bombing is to act as a smokescreen for fraudulent activity. Attackers bombard you with emails to hide something, usually a real notification email about a transaction they don’t want you to see.

A common scenario helps attackers receive fraudulently purchased goods from a retailer. Basically, attackers obtain stolen account and credit card details, use them to order an item, and then have it shipped somewhere else. They then email bomb the victim so that the real confirmation email is hidden amongst all the noise. The real email is highly likely to be overlooked or deleted by the victim struggling to regain control of their inbox.

The types of fraudulent activity mentioned above that are often linked with email bombs vary. Here are some themes we have seen reported:

  • Parcel redirection for online retailers including Amazon, Walmart, Home Depot, and the Apple Store.
  • Booking airline tickets with stolen credit card details, or with accumulated air points.
  • Payroll systems, where attackers log into the system and add a fake new employee to be paid or change the direct deposit details of an existing employee to route payment to their accounts on the next payroll cycle.
  • Purchasing tickets through vendors like Ticketmaster.

 

A Pretext for a ‘Support’ Call

The second, and a potentially more damaging one for organizations, is as a pretext for a forthcoming scam phone call. We have seen this attack scenario increase over the past year.

The attacker will employ an email bomb against the victim and then follow up with a phone call or Microsoft Teams call pretending to be someone from IT Helpdesk offering to solve the spam problem. The “solution” involves the installation of remote desktop assistance software like AnyDesk or QuickAssist, which gives the attacker control of the system and can lead to further malicious software installation.

This attack variant is a more recent phenomenon that can lead to serious infiltration. Rapid7 reported the Black Basta ransomware gang employed email bombing as a component of a larger social engineering campaign. In this situation, Black Basta targeted multiple users in an organization with the email bomb and subsequent follow-up call as a method of gaining a foothold in the organization for larger attacks, such as data theft or ransomware.

 

What to do if Subjected to an Email Bomb

The first thing is to realize the email bomb is a smokescreen for something else. While annoying to deal with, the email bomb itself is not the primary concern. The flood of emails usually number in the thousands but will eventually dissipate. It may last a day, a week, or happen sporadically for a few weeks. Here are some points to consider:

  • Assume the email bomb is hiding notifications resulting from fraudulent activity. Painstaking as it may be, you will need to search carefully through all the noise for emails that signify a transaction has taken place, perhaps using stolen account details.
  • Implement temporary, aggressive filtering for impacted users at the email gateway or email inbox rules using keywords that move most of the subscription emails out of the inbox. This may not be easy, as there may be 20 or more languages involved. But you can make a big dent in it.
  • Check bank accounts and credit cards for suspicious activity. Consider notifying your bank.
  • Check accounts at online retailers and other platforms and look for unexpected orders or other suspicious activity or sign-ins.
  • For admins, if users in your organization are targeted, immediately alert them to the possibility of follow-up scam phone or Teams calls from fake IT Support personnel or similar. In Microsoft Teams, consider blocking calls from external domains.
  • Educate users on email bomb attack scenarios and what actions to take.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo