DDoS attacks are not limited to websites. We are currently seeing some email inboxes being attacked by being inundated by blog forum sign up confirmation and password reset emails. A DDoS attack on an inbox is known as mail bombing, and it is a technique sometimes used by cyber criminals to cover up a more serious attack.
The attack can be automated by a fairly simple script. First, run a Google search to find forums with a sign up form. (Since most small websites use one of a handful of content management systems such as WordPress or Joomla, there are hundreds of thousands of sign up pages out there than only have cosmetic differences.) Then, use a bot to go to each sign up page and sign up with the victim’s email address. Each site sends out an opt-in confirmation message to the victim. This is generally good practice as individual sites can make sure the correct email address has signed up, but when a multitude of sites are exploited in this way it can fill up the victim’s inbox in short order.
A cyber criminal will typically mail bomb a victim to prevent them from receiving or noticing some other email. They may have compromised the victim’s credit card or banking credentials (or at this time of year, their income tax preparation service) and want to prevent them from seeing the message saying that large sums of money are on the move out of their account.
In regular spam, the same message is sent to many different users. In mail bombing, many different messages may be sent to a single user. In this case the messages are of a type that is usually legitimate, so conventional spam filters will be unlikely to block them. So what can we do about mail bombing?
If you run a website that requires users to sign up to comment on posts, please install a CAPTCHA in the user registration to make it harder for bots to sign up. There are simple plugins to do this. Here’s one for WordPress sites and one for Joomla.
If you find that you are a victim of a mail bombing attack, don’t select the entire contents of your inbox and delete them. This is just what the attacker wants you to do. You may be deleting the notice that your tax return has been filed (by someone else) or that your PayPal account has transferred hundreds of dollars to China. Instead, use the tools in your email client to delete just the unwanted messages, and add a filter to delete incoming messages of this type. The exact method for doing this will vary depending on your mail client. For deleting from your current inbox you will typically have to do a search that selects just the unwanted emails, select all the search results, and move them all to the trash. If you are still receiving unwanted incoming messages, here are instructions for using filters in Microsoft Exchange, and Yahoo! Mail. Other mail clients should have similar functionality.
However, don’t stop there. The mail bombing may just be a distraction to prevent you from noticing the real attack. So what can you do?
- Check what is left in your inbox for transaction notices.
- Check with your bank, credit cards, and e-commerce accounts for unexpected transactions or password changes.
- Turn on two-factor authentication for all of them if you haven’t already done so.
- At this time of year, many scammers are busy filing false state and federal tax returns for other people in order to claim fraudulent tax refunds. Unfortunately, there is no simple way of checking with the IRS if a fraudulent tax return has been filed in your name. The best way is simply to file your own taxes as early as possible and hope the don’t get rejected.
If you are mail bombed, however, that may be an indication that you are a victim of identity theft, and so you can file form 14039 and request a tax PIN from the government, which will protect you against tax return fraud in the future.