- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CSO - If you get hit with an avalanche of obvious spam email, that's one problem. But it may also be an effort to distract you from a much bigger problem: fraudulent purchases and bank transactions made with your stolen identity and credentials.
Fred Touchette, a security analyst manager at AppRiver, wrote in a blog post recently of a Distributed Spam Distraction (DSD) technique, saying that he is seeing it several times a year. "It hasn't quite caught on yet, but you never know," he wrote.
[ALSO: Spammers in the slammer]
Touchette told CSO Online that he coined the term after observing it for the past several years. "I was trying to think of something descriptive and catchy, along the lines of DDoS (Distributed Denial of Service), since they operate in a similar fashion," he said.
The targets are individuals, whose identity and personal information the thieves already have. The victims' email inboxes suddenly get flooded with thousands upon thousands of emails -- as many as 60,000 during a 12- to 24-hour period -- that contain no links, no graphics, and no advertisements. "[The contents are] nothing but mash-ups of words and phrases from literature," he wrote.
Screen shots of several emails show what is essentially gibberish. "Every email is different as well, nearly perfectly randomized, though if you comb through them carefully, you will begin to see some repeated content," Touchette wrote. "The emails themselves are obviously botnet-delivered too, because all of the senders are different, usually freemail providers, the sending IPs are all different, and the rate at which they're arriving would make one's head spin."
Although the attack, while under way, makes it almost impossible to use one's email account, the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim's credentials.
[See also: Global effort stops half the world's spam]
"The attackers, just before they make the illegal transactions, turn on this deluge of spam email in order for these very important emails to get lost in the flood. Once the bad guys are done with their activities they'll stop the flood," Touchette wrote.
Others have noticed the technique, but like Touchette, they say it is not yet common. "At the moment, we have only heard about sporadic attacks and have not seen these attacks as a group or trend yet," said Liam O Murchu, manager of Security Response Operations for NAM for Norton by Symantec.
Murchu said the distraction or flooding technique is not confined to email either. "We have also heard reports of users receiving continuous phone calls in order to prevent the fraud department of banks from reaching the victim," he said, "and although details are sparse right now, we have also heard reports about this smoke-screen method being used to hide text messages from banks."
Neither Touchette nor Murchu have statistics on how successful the technique is, where the attacks originate or how many have been victimized, but they said it can be very successful when aimed at those who don't know what is going on and are overwhelmed by the amount of email.