Email Bombing: Why You Need to be Concerned

Over the last few months, the topic of email bombing has been brought to our attention multiple times, mostly queries from customers that go something like this:

“I have a few users experiencing some sort of spam attack, where they are receiving thousands of random registration or subscription emails. What do I do, and why is it occurring? Help!”

This scenario is known as email or subscription bombing. Attackers, using various tools and services, subject the victim to a tsunami of emails, usually as a cover for other fraudulent activities. This email flood consists of thousands of legitimate registration or subscription notifications from different websites across the globe, in many different languages.

The attackers use automated tools that target websites that do not require any sort of authentication to subscribe. Input the victim email address, and hey, presto, instant unwanted email. Do this across a few thousand different websites and you have an email bomb.

Figure 1. An example of an unwanted registration email used in an email bomb. Victims will receive thousands of different types of confirmation emails in multiple different languages.

Figure 2: Email bombing attack showing a wide range of notifications.

Email Bombing Tools and Services

Attackers use email bombing tools and services that are freely and cheaply available in underground forums. Figure 2 shows an example of a recently advertised tool called “DiddyBomber,” which costs $8 per day or $30 per month.

Figure 3. An email Bombing tool advertisement on an underground forum.

DiddyBomber is an easily used Telegram-based bot tool that requires only a few simple commands.

Figure 4. DiddyBomber Telegram usage commands.

Why do Email Bombs Occur?

Email bombing is not new, but given the recent increased reports we have received, the practice seems to be on the rise. So why do threat actors use email bombs? Well, there are multiple reasons, but there are two key reasons that we will explore here.

A Smokescreen for Fraudulent Activity

The first and more established reason for email bombing is to act as a smokescreen for fraudulent activity. Attackers bombard you with emails to hide something, usually a real notification email about a transaction they don’t want you to see.

A common scenario helps attackers receive fraudulently purchased goods from a retailer. Basically, attackers obtain stolen account and credit card details, use them to order an item, and then have it shipped somewhere else. They then email bomb the victim so that the real confirmation email is hidden amongst all the noise. The real email is highly likely to be overlooked or deleted by the victim struggling to regain control of their inbox.

The types of fraudulent activity mentioned above that are often linked with email bombs vary. Here are some themes we have seen reported:

• Parcel redirection for online retailers including Amazon, Walmart, Home Depot, and the Apple Store.
• Booking airline tickets with stolen credit card details, or with accumulated air points.
• Payroll systems, where attackers log into the system and add a fake new employee to be paid or change the direct deposit details of an existing employee to route payment to their accounts on the next payroll cycle.
• Purchasing tickets through vendors like Ticketmaster.

A Pretext for a ‘Support’ Call

The second, and a potentially more damaging one for organizations, is as a pretext for a forthcoming scam phone call. We have seen this attack scenario increase over the past year.

The attacker will employ an email bomb against the victim and then follow up with a phone call or Microsoft Teams call pretending to be someone from IT Helpdesk offering to solve the spam problem. The “solution” involves the installation of remote desktop assistance software like AnyDesk or QuickAssist, which gives the attacker control of the system and can lead to further malicious software installation.

This attack variant is a more recent phenomenon that can lead to serious infiltration. Rapid7 reported the Black Basta ransomware gang employed email bombing as a component of a larger social engineering campaign. In this situation, Black Basta targeted multiple users in an organization with the email bomb and subsequent follow-up call as a method of gaining a foothold in the organization for larger attacks, such as data theft or ransomware.

What to do if Subjected to an Email Bomb

The first thing is to realize the email bomb is a smokescreen for something else. While annoying to deal with, the email bomb itself is not the primary concern. The flood of emails usually number in the thousands but will eventually dissipate. It may last a day, a week, or happen sporadically for a few weeks. Here are some points to consider:

• Assume the email bomb is hiding notifications resulting from fraudulent activity. Painstaking as it may be, you will need to search carefully through all the noise for emails that signify a transaction has taken place, perhaps using stolen account details.
• Implement temporary, aggressive filtering for impacted users at the email gateway or email inbox rules using keywords that move most of the subscription emails out of the inbox. This may not be easy, as there may be 20 or more languages involved. But you can make a big dent in it.
• Check bank accounts and credit cards for suspicious activity. Consider notifying your bank.
• Check accounts at online retailers and other platforms and look for unexpected orders or other suspicious activity or sign-ins.
• For admins, if users in your organization are targeted, immediately alert them to the possibility of follow-up scam phone or Teams calls from fake IT Support personnel or similar. In Microsoft Teams, consider blocking calls from external domains.
• Educate users on email bomb attack scenarios and what actions to take.