DDoS Protection , Email Security & Protection , Fraud Management & Cybercrime
Email Bomb Attacks: Filling Up Inboxes and Servers Near You
HHS: Bot-Driven Attacks Can Overwhelm Email Servers, Networks and Disrupt WorkflowImagine a hospital's email system suddenly filled with thousands of spam messages sent by bots. The unexpected traffic degrades network server performance, and the IT administrator is flooded with service requests from users. The hospital is clearly under a cyberattack, but what do the attackers hope to accomplish?
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Federal authorities are warning healthcare and public health sector organizations to be on the lookout for email bomb attacks, a type of denial-of-service attack that can overwhelm email systems and networks and distract victims from other nefarious activities.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert warned that email bomb attacks - also known as letter bomb attacks - pose a considerable potential threat. The attacks are usually launched by a botnet, a single bad actor or a group, and they can overwhelm an email address or server with hundreds of thousands of email messages.
These types of DoS attacks render the target mailbox useless while burying legitimate messages that could include important warnings about account sign-in attempts, bogus online order confirmations and fraudulent financial transaction details.
One of the most notable email bomb assaults was launched in 2016 by unknown attackers that flooded thousands of targeted .gov
email inboxes with subscription requests, rendering many unusable for days, HHS HC3 said.
"Email bombs are not only an inconvenience to the victim, but to everyone using that particular server," HHS HC3 said. "When an email server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime."
While email bomb attack methods vary, they often use automated bots that crawl the web searching for newsletter sign-up pages or forms that do not require live-user authentication, HHS HC3 said. "Once the email bomb order is placed, scheduled and begins, the bots will sign an unlucky recipient up for all of these newsletters at once. This generates thousands of emails arriving to the victim immediately," HHS HC3 said.
"Beside the immediate impact, victims receive an annoying, steady flow of unwanted emails that will keep arriving years after the initial attack. To add further frustration, the victim is added to additional spam, phishing and malware lists by malicious actors."
Some types of email bomb attacks involve multiple emails with large attachments designed to overload server storage space quickly and render systems unresponsive. Sometimes the attacks involve zip bombs - also called decompression bombs or zip-of-death attacks. These are large, compressed archive files sent to an email address. When decompressed, they consume available server resources and affect server performance.
Taking Action
HHS HC3 advises organizations to implement controls and security policies and to address user behavior to defend against future attacks.
The measures include implementing reCAPTCHA technology to determine if a human - or bot - is attempting to use a platform. "Email bombing bots are generally unable to bypass a reCAPTCHA, which would prevent them from signing up" for a registration or other service that might help facilitate a massive email bomb attack.
Users should be trained to avoid using work email addresses to subscribe to nonwork-related services and limit their online exposure to direct email addresses by using contact forms that do not expose email addresses.
"Given the potential implications of such an attack on the HPH sector, especially concerning unresponsive email addresses, downgraded network performance and potential downtime for servers, this type of attack remains relevant to all users," HHS HC3 said.
"Email bomb attacks are potentially disruptive and can impact the HPH through denial of services where email is a critical part of the business or clinical workflow," said Dave Bailey, vice president of consulting services at security and privacy consultancy Clearwater. "These types of attacks can be scripted using bots to continually disrupt an email account or system, making them easy to execute," he said.
Threat actors also can use these types of attacks to hide other acts of fraud, knowing an individual cannot access information as part of a process, such as account resets, appointments and authorizations, he said.
Smaller healthcare firms potentially face the most disruption because they have limited IT and security staffs and lack of immediate incident response capabilities, Bailey said.
Many lessons are evolving from current adversaries and the recent attacks on the healthcare and public health sector, he said. "Some of the top lessons include having a trained workforce aware of the current threats, having formal and rehearsed plans to respond to attacks and minimize business disruption, and understanding the risks to your organization and systems critical to the organization."
John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said that so far, email bomb attacks have not appeared to be widespread in the healthcare sector, but vigilance is important.
"We appreciate the proactive dissemination of threat information from HC3, which helps keep the healthcare sector apprised of the latest cyberthreats and prepare for evolving threats," he said. "We would encourage healthcare organizations to review the alert and provide feedback to HC3 and the FBI if they are experiencing these type of attacks."