Subscription Bombing: What is it, why is it happening?

What is Subscription Bombing?

Subscription Bombing, also known colloquially as Mailing List Bombing or simply List Spam, is an obfuscation technique used by attackers who have compromised some of a user’s personal and financial information. In essence, the user’s email address is being used to sign up for hundreds, often thousands, of newsletters or mailing lists worldwide in order to inundate their Inbox with “Welcome to So-and-So Newsletter” and “Please confirm your Subscription” emails.

These messages can safely reach their Inbox through your organization’s email filters because they are coming from legitimate sources: these are real websites with proper domain tenancy and a good email reputation, not the commonly used ‘disposable’ domains that many spammers so often use with their terribly misspelled and badly formatted emails.

How are they doing this?

The attackers will use a series of bots that to sign up for subscriptions using the user’s email address at any and all sorts of websites, including well known ones here in the United States, but also tons of overseas websites that do not necessarily require a confirmation of an opt-in for new sign-ups or may not have the common CAPTCHA protections to mitigating botting.

This will often get supplemented by them using a bunch of compromised email accounts from various free email hosting services to add some additional traffic on top of the ones coming in from official websites.

There are a few key clues to identify emails originating as part of a Subscription Bombing attack, beyond just the usual unexpected nature of receiving so many at once:
1. The origin of the emails will all be different, stemming from multiple different websites and countries.
2. The emails will arrive for a period of a few hours to maybe 24 hours, then suddenly halt.
3. The senders of some of the emails will come in from multiple different free email service providers, like Yahoo.com, Hotmail/Outlook.com, Gmail.com and other similar free email services, especially foreign ones.
4. The content of the emails will often be some randomized sets of words and may not contain advertisements, graphics or other links.

Why is this happening?

So there are a ton of emails in your user’s Inbox now. Why did this happen?

The short answer is the same as the reason for essentially any other kind of attack: money.

As mentioned before, the attacker has some personal and financial information of the user. This could come in a few forms: maybe they have a credit card number and know which email address is associated with it, but they don’t have access to that email account. Sometimes they’ll have access to both the email address and credit card, which increases the dangers involved (more on that in the next section). Occasionally, they may have access to a digital payment service, like PayPal, but not the email address. In almost all possible scenarios, the attacker often only has “some” level of access.

The reason these emails are coming in is because the attacker has “partial” access to the user’s identity; i.e. they have access to, for example, an Amazon.com account and can buy products via a saved payment method, but what they lack is the access to the bank account that the payment method uses, so maybe they cannot directly transfer money out of it. Any purchase made generates a notification, as well as a subsequent shipping notification afterwards.

1. Sometimes, they’ll have access to that bank account, but cannot change the notifications that any transaction generates (such as a wire transfer) without additional authentication.

2. In other situations, maybe they have a credit card number and use it to purchase products or services they want, but the transaction alerts from the card will route to the user’s email address and potentially tip the user off to the nature of the unauthorized business.

These notifications are the reason why subscription bombing exists: because the attacker only has '“partial” access. They may not be able to turn off or change the notifications, and when you receive such notifications, the user tends to look at them and possibly question what this was. Any subsequent checks on a mysterious purchase or money transfer will usually reveal unauthorized activity and a call to that vendor or financial institution to stop the transaction.

If this is done in time, the attackers plan is foiled and they get nothing. So, they sign up the email address (the one associated with the account they are stealing from) and have it blasted with tons of other emails to cover their tracks and delay any discovery of their fraud. Trying to sift through hundreds or thousands of emails, some legitimate, some not, is a true chore and buys them time for the transaction to complete successfully.

It’s pretty common for these attacks to be conducted late at night or over weekends, especially holiday weekends, when people are least likely to be checking their email. This gives the attacker even more time to finish their theft and move on.

Paypal, Venmo, Zelle, Credit Cards of all kinds, bank accounts (checking, savings, money market, etc) and even investment accounts can be struck this way.

What does it mean and what can be done about it?

With all this background provided, what do we do now?

To begin, check with all financial institutions or services that are used commonly, either over the phone or from a known-secure computer, not necessarily the computer or phone commonly used (in case it is compromised and could deepen the access the attacker has to other accounts).

These include bank accounts, credit card vendors, investment firms, digital payment services like Zelle and PayPal and commonly used online vendors where your payment information may be saved, such as Amazon.com, eBay.com, Etsy.com, HomeDepot.com, etc.

Checking on each one of these for unexpected charges or transactions is the very first step in finding out what has occurred. If any suspect charges are identified, contact the provider and have them not only cancel any recent transactions, but alert them of the potential fraud situation and to issue a new credit card or to freeze the account and create a new one (depending on their best practices).

For other accounts, changing the password of the account and layering on MultiFactor Authentication (MFA) is a great start to a defense-in-depth approach that makes these situations far less dicey a proposition for a successful attack. Hardware tokens for MFA, such as a Yubikey, are great additions which provide far superior security than One Time Password mechanisms (OTP) that are the most commonly used MFA.

1. Where possible, avoid using MFA systems that send an email or text for authentication, since many breaches can involve interception of emails or texts as part of their attack.
2. OTP systems are the best balance of security and convenience and should be considered the minimum standard, with hardware tokens providing the most secure method overall.

If the person being attacked was any sort of financial controller, accountant or someone else with access to corporate finances, not only will personal accounts be attacked, but corporate ones may be just as vulnerable and should be checked also.

For more advanced security reviews, Tangent recommends the below steps:

Check for mail redirection rules being emplaced in the the mailbox. These can exist as mail flow rules that send all new email received to a certain folder, especially for ones from select domains that they want to hide. Having these kind of mailbox flow rules is a guaranteed sign that the email account has been compromised and is likely also being used as part of attacks on other people, usually for phishing. Note that these can also exist for outbound emails to limit observability of what the account is sending out.
- Tangent offers Outbound Email Filtering, via our UpStream Email Filtering service, that can greatly mitigate the impacts of a compromised account and the “trust-based” phishing that that account can then use against their address book of clients and vendors alike. Reducing the reputational ‘damage control’ and associated costs that the company needs to perform post-account compromise is an outright headache that can be dodged with this kind of filtering.

Blocking the senders for the whole domain, or (recommended) for the individual user would be a solid choice, but is only useful if the spam continues. Most of these subscription bomb attacks are one-and-done for a day or two at most, just to cover the purchases made before the account used is reclaimed or otherwise locked down.

Configuring a strong DMARC policy, such as P=Reject, can help prevent email based impersonation attacks that compromise a user’s account (either their email account or any other services they may use) in the first place, which can greatly reduce the chance of even having to deal with a subscription bomb attack.
- Let Tangent help you get your DMARC policy configured and escalated safely; contact us before the bomb goes off!

Another good option that will cover a partial mitigation for both the impacted user and potential future users is employing UpStream’s Geoblocking function, which can greatly ameliorate the amount of potential spam that can come in from future attacks employing this strategy.
- More on how Geoblocking works can be found at this link.

As mentioned above, implementing MultiFactor Authentication (MFA) is utterly critical and should be the baseline of security enhancements, if not already in play.
- Upgrading existing MFA to something like a hardware token is a great step to making it far stronger.

Lastly, the implementation of anti-phishing training for all users is strongly recommended. This kind of educational product shows users potential examples of phishing or other tricky emails that are designed to get them to click on dangerous links, download malicious software or provide their account information to credential harvesting websites in a manner designed to educate them on what not to do and what to look out for without being a one-and-done training seminar that is promptly forgotten.

For assistance any of these steps, please contact DMARCDirector Support and we can help or point you in the right direction for more advanced needs, like Indicator of Compromise (IoC) remediation or user training services.