Are All Those Spam Messages Just a Distraction?

distraction-quoteOne of the most common tactics used by scam artists is that of the redirect. Get their mark, or victim, to focus their attention on something else while they take advantage of them. A good example of this is when pickpockets use someone to bump into their victim to divert attention away from the fact that their wallet is being stolen.

Now cyber criminals are using diversion as a tactic to cover their tracks as they clean out their victims’ bank accounts.

The scenario plays out like this; the criminal manages to obtain bank account or credit card information from their victim. Generally, they can get this through a phishing attack or by stealing it from an unsecured database. With this information in hand, they start their shopping spree.

Now for the diversion, since most people receive email alerts for purchase receipts and balance transfers the criminal floods the victim’s email inbox with thousands, think upwards of 60,000, spam emails in a 12 to 24 hour period. The emails themselves are usually nothing more than gibberish. No links to malicious web sites, no images, no file attachments and most importantly no key words that could tip off the anti-spam filters. Most of the content, experts have found, come from a mash-up of words and phrases from literature.

Once the attack has been launched, it is almost impossible for the user to actually use their email account. One person simply can’t delete emails fast enough to actually see what is going on.

But what about phone calls and text messages? Don’t quite a few people get alerted from their bank this way as well?

Of course, and the bad guys have thought of that as well and there have been reports of people receiving a flood of phone calls and/or text messages to create enough noise to distract the victim from any alerts that someone else has control of their account.

By the time the victim has regained control of everything, they find out that they missed all of the warning signs and attempts on behalf of their financial institutions to contact them.

What do I do?

To begin with, experts have said that Distributed Spam Distraction attacks, as these are now called, are sparse and only work when the victim does not know what is going on. But those who do realize that something is wrong should immediately contact their financial institutions and online shopping accounts to see if there are any improper charges or transfers taking place. Once this has been done and you can be sure that all accounts are being protected anyone who falls victim to this type of attack should then scan their computer for malware and immediate change all of their passwords; and when changing your passwords make sure that they are all different. Don’t use the same one for all of your accounts no matter how strong it is.

To keep yourself from being victimized, you need to head off this type of attack early on. Make sure that you have adequate email protection in place because most likely, the attacker has used some type of phishing email to get you account information in the first place.

Good spam fighting technologies will also help keep the deluge of spam at bay. If your mail system is receiving 60,000 or more messages in a day’s time then your spam protection isn’t doing its job. Anti-spam filtering that relies solely on key words or key phrases will be beat by this technique because of how the message is written. On the other hand, anti-spam controls that utilize a wide array of technologies stand a far better chance at catching these messages before they ever reach your inbox.

Security experts will work towards shutting down the botnets that responsible for these attacks. If history shows us anything, the command and control servers that are the brains behind these networks will be shut down and others will pop up to take their place. While its safe to rely on the spam fighters to do the heavy lifting, protecting yourself and your co-workers from mail borne attacks requires something be done to prevent malicious emails from causing problems in the first place.

Written by Jeff


  1. Maria Ortiz · July 6, 2013

    This is a very sophisticated approach but I see two major flaws: first, when you begin getting that many emails, texts, or calls this in itself is very suspicious. Of course, not many ordinary users will make the connection this is a cover for a spam attack. Second, a lot of effort and money is involved in order to send all the emails/texts or make the calls, which in turn means it makes no sense to do it if you are stealing $100, for example.

  2. Jeff · July 13, 2013

    Good points, but the cost of renting a botnet isn’t that much so to carry out an attack against even 10 people simultaneously can be profitable. Remember too, there are likely multiple transactions being washed out in this, so it wouldn’t only be a $100 loss. These people do their research on their victims.

  3. Annette · July 15, 2013

    This is actually a very pretty scary thought. i haven’t thought spamming can also play out like this. But anyway, I think one of the main defenses we can use is to continuously check bank accounts. I do that every other week. I also make sure that my anti-malware and anti-virus programs are up-to-date. I don’t access bank accounts in public or mobile devices either.

  4. Melody · July 30, 2013

    I definitely agree with you, Annette! This is a scary thought. It is like something you never thought possible has now become an easy thing. It’s like our nightmares are slowly turning into reality.

    Like you, I check my bank accounts on a regular basis. I bank almost every day, so I am constantly updated with the movements of my finances. I used to do this online or through my iPhone, but after almost getting scammed, I chose to visit my bank personally – as much as possible. And like you, my anti-virus and anti-malware programs are regularly updated – thanks to my technician!

  5. Jeff · July 30, 2013

    Great practices Annette! By staying on top of things you greatly reduce your chances of falling victim to these attacks.

Leave A Reply