One of the most common tactics used by scam artists is that of the redirect. Get their mark, or victim, to focus their attention on something else while they take advantage of them. A good example of this is when pickpockets use someone to bump into their victim to divert attention away from the fact that their wallet is being stolen.
Now cyber criminals are using diversion as a tactic to cover their tracks as they clean out their victims’ bank accounts.
The scenario plays out like this; the criminal manages to obtain bank account or credit card information from their victim. Generally, they can get this through a phishing attack or by stealing it from an unsecured database. With this information in hand, they start their shopping spree.
Now for the diversion, since most people receive email alerts for purchase receipts and balance transfers the criminal floods the victim’s email inbox with thousands, think upwards of 60,000, spam emails in a 12 to 24 hour period. The emails themselves are usually nothing more than gibberish. No links to malicious web sites, no images, no file attachments and most importantly no key words that could tip off the anti-spam filters. Most of the content, experts have found, come from a mash-up of words and phrases from literature.
Once the attack has been launched, it is almost impossible for the user to actually use their email account. One person simply can’t delete emails fast enough to actually see what is going on.
But what about phone calls and text messages? Don’t quite a few people get alerted from their bank this way as well?
Of course, and the bad guys have thought of that as well and there have been reports of people receiving a flood of phone calls and/or text messages to create enough noise to distract the victim from any alerts that someone else has control of their account.
By the time the victim has regained control of everything, they find out that they missed all of the warning signs and attempts on behalf of their financial institutions to contact them.
What do I do?
To begin with, experts have said that Distributed Spam Distraction attacks, as these are now called, are sparse and only work when the victim does not know what is going on. But those who do realize that something is wrong should immediately contact their financial institutions and online shopping accounts to see if there are any improper charges or transfers taking place. Once this has been done and you can be sure that all accounts are being protected anyone who falls victim to this type of attack should then scan their computer for malware and immediate change all of their passwords; and when changing your passwords make sure that they are all different. Don’t use the same one for all of your accounts no matter how strong it is.
To keep yourself from being victimized, you need to head off this type of attack early on. Make sure that you have adequate email protection in place because most likely, the attacker has used some type of phishing email to get you account information in the first place.
Good spam fighting technologies will also help keep the deluge of spam at bay. If your mail system is receiving 60,000 or more messages in a day’s time then your spam protection isn’t doing its job. Anti-spam filtering that relies solely on key words or key phrases will be beat by this technique because of how the message is written. On the other hand, anti-spam controls that utilize a wide array of technologies stand a far better chance at catching these messages before they ever reach your inbox.
Security experts will work towards shutting down the botnets that responsible for these attacks. If history shows us anything, the command and control servers that are the brains behind these networks will be shut down and others will pop up to take their place. While its safe to rely on the spam fighters to do the heavy lifting, protecting yourself and your co-workers from mail borne attacks requires something be done to prevent malicious emails from causing problems in the first place.