Show threadSophos X-OpsNov 27, 2024

While the anti-spam research team continues to investigate, it’s worth remembering that emailbombings are not just a nuisance.

Criminals can use the sudden and unexpected deluge of messages to conceal crime in progress by making it difficult to spot that fraud alert from your bank, or a receipt for a large purchase made at an online retailer using your payment card.

The only good news is they don’t last forever, with the volume of messages eventually dropping off as the attack subsides.

#emailbomb #mailbomb #spam #spammers #email #XOps

Show threadSophos X-OpsNov 27, 2024

Why would someone do this? In brief, to create a kind of email smokescreen that can conceal fraudulent online purchases or other malicious behavior.

One typical example we found among the emailbombings in this time period was this one: The target’s compromised Apple account had been used to purchase an expensive phone overnight.

The flood of emails attempted to conceal this order until the attacker’s accomplice could collect the purchased device at a physical store, but the target cancelled the order before the pickup.

#emailbomb #mailbomb #spam #spammers #email #XOps

Show threadSophos X-OpsNov 27, 2024

And yet that’s next to nothing. Another target received 7300 unexpected emails over a two-and-a-quarter hour period on November 7th. That’s an average of more than 54 messages every minute for the entire 135 minute window.

The highest proportion of emails – more than 700 – came from individual WordPress blogs. The rest came from online retailers, newsletters, and password resets for a variety of online services.

#emailbomb #mailbomb #spam #spammers #email #XOps

Show threadSophos X-OpsNov 27, 2024

It can be hard to understand what we mean by “flooded inbox” so here’s a chart to illustrate what happened to one unfortunate target: They received 712 emails over a one-hour period (an average of nearly 12 every minute) on November 15. That sounds bad, right?

#emailbomb #mailbomb #spam #spammers #email #XOps

Show threadSophos X-OpsNov 27, 2024

Many of the emailbomb messages shared certain Subject line text strings: "reset password notification,” “password reset,” “reset your password,” “verify email address,” “confirm your subscription,” “newsletter subscription success,” and “registration info" were common, as were their equivalent in a variety of foreign languages, including Spanish, German, Italian, French, Romanian, Russian, Japanese, and Portuguese.

#emailbomb #mailbomb #spam #spammers #email #XOps

Sophos X-OpsNov 27, 2024

Since the beginning of September, Sophos X-Ops’ anti-spam research team has registered nearly 150 “emailbomb” attacks that targeted specific Sophos customers’ inboxes.

While similar, these are not spam attacks: threat actors use tools provided by otherwise benign websites to (un)/subscribe people to newsletters, and/or to help registered users self-manage an account with password resets.

The end result is the target's inbox becomes swamped with unexpected, benign email, sometimes for hours on end.

A 🧵

#emailbomb #mailbomb #spam #spammers #email #XOps

Sophos X-OpsAug 15, 2024

When the threat actors behind the #RansomHub #ransomware want to attack a target, they go to some lengths to prevent EDR or endpoint protection software from ruining their day.

The latest blog from #Sophos #XOps investigates how they do that, using a tool we call #EDRKillShifter

https://news.sophos.com/en-us/edr-kill-shifter/

Ransomware attackers introduce new EDR killer to their arsenal

Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks

Sophos News