I have an old AOL email account that I haven’t opened in seven years — maybe even ten. Right now, it’s a swamp of spam. My AOL could be email bombed, and I wouldn’t know or care.

“Email bombing,” despite its militaristic connotation, is an old form of cyber attacking. Bad actors use the attack for a variety of reasons, but it is primarily flooding an unsuspecting person’s inbox with messages in an attempt to achieve something. Sometimes the flood of emails is an attempt to obscure a bad act such as hacking someone’s phone account, ordering a new iPhone, and then flooding the victim’s email box in hopes of burying the new phone confirmation email.  Other times the motives are revenge or more nefarious objectives like disrupting the command and control of governmental agencies.

Email bombing has been around while, but anecdotal evidence points to a recent uptick in its frequency. In 2016, over 100 email addresses in the US government were targeted with an email bombing attack.

Email bombing is cheap and ‘easy’

Email bombing is cheap and easy to carry out.  Someone can even hire out a service to do it for them that is virtually untraceable.  A quick search on Twitter shows several services willing to do a bad actor’s bidding. To give you an idea of how cheap it is, SMS bombing or email bombing costs around one to two dollars a day, whereas a 30-day long troll — which consists a combination of SMS bombing and email bombing— only costs 30 dollars. 

Dr. Filippo Menczer, Professor of Informatics and Computer Science Center for Complex Networks and Systems Research at Indiana University’s Network Science Institute, has been studying the phenomena of email bombing since 2003. In a cyber sense, 2003 is the stone age, so email bombing’s staying power is impressive.

“We first wrote about this attack in 2003, but the final paper was not published until 2010. Honestly, I do not know how uncommon it is for attacks discussed in academic papers to be deployed in the real world several years later,” Menczer says.

However, while the attack may be simple to carry out, it’s structure makes it a bit more complicated than merely sending a bunch of emails through Gmail (which anti-spam rules would prohibit anyway).

“The attack is not quite as unsophisticated as simply flooding a person’s email. That would be easy to detect and block. The idea is to subscribe the target to many independent email sources, such as newsletters. This makes it a distributed attack, which is much harder to defend against,”  Menczer says.

More often email bombs are unleashed to disrupt an organization’s ability to communicate.   A group of Pro Publica journalists found themselves the target of an email bombing campaign in response to some critical stories they ran last year. It took weeks for their email systems to get back to normal.

“Unlike social media and chat platforms, email is an open protocol — anyone can be reached by email,”  Menczer says, and it is that openness and availability that bad actors use to turn against users into victims.

“Many people continue to rely on public email for their work: government officials, reporters, emergency coordinators, policymakers, etc. If you can disable this communication channel, you can impair their capability to carry out their duties and respond to crises effectively,” Menczer says. 

Subscribe to SmarterMSP.com

 

Imagine a public servant trying to respond to a crisis as a barrage of email pours in. They couldn’t, they’d be crippled.

“Important messages get buried among thousands of junk and likely lost,”  Menczer says. And it’s this open protocol that makes preventing an attack difficult. In the case of the Pro Politica reporters, the news organization’s spam filters became overwhelmed, literally paralyzing the whole system. As if that is not enough, these types of attacks can bleed into a victim’s phone.  Some sign-up services authenticate with a phone call or text, so you can imagine having your phone becoming drawn into this vortex.

What can an MSP do?

An email bomb against one or two employees has the potential to bring down an entire network if the volume is high enough.  The daily hum of office activity could be brought to a halt. In the case of the Pro Politica reports, the only recourse was to block all incoming email (which is the equivalent of cutting off oxygen for a journalist).  However, as with many types of malware and cyber security threats, an MSP’s best defense is prevention and that often merely consists of education. The best way to avoid this is to have a separate email account that you use for signing up for services. Menczer and colleagues have explored ways to prevent email bombing and outline some more in-depth and technical solutions here.

“We describe a solution to be deployed by services that offer online newsletter subscription so that they cannot be abused in this way. They should use a kind of two-step authentication to ensure that the person subscribing is the one who will receive the emails,” Menczer says.  And while this type of attack is more difficult for potential target individuals to defend against, the server-based email services of today are more resilient than when email bombing first was noticed over a decade ago.

As early as 1998, the rebel Tamil Tigers fighting a vicious civil war against the Sri Lankan government, launched an email bombing attack against government servers, lobbing over 800 emails a day to Sri Lankan embassies during a two week period in an effort to disrupt communications. Twenty years later, email bombing is still a weapon in the hackers arsenal.  In cyberspace, what is old is truly new again.

<

Photo:  Rei Imagine / Shutterstock.

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *