The Yeti logo is seen on a cooler for sale at the company’s flagship store in Austin, Texas.
Sergio Flores | Bloomberg | Getty Images
Over the past few months, Americans have received emails promising them a free Yeti backpack cooler from Dick’s Sporting Goods – a value of $325.
No, you haven’t won a new cooler.
These emails have received a lot of attention because they are sometimes able to evade sophisticated spam filters, such as those built into Google‘s Gmail, but it’s spam. They are designed to trick victims into providing their credit card numbers, which will be stolen.
The spam campaign is an example of how scammers are becoming increasingly sophisticated at targeting consumers to divulge their private information, said Or Katz, senior security researcher at Akamaiwho just published a glance on how the recent spam campaign works.
While it’s unclear exactly how the emails pass spam filters, Katz said, this phishing campaign uses several sophisticated techniques, including IP filters, redirects and custom links to evade layers of security software designed to mark phishing emails as dangerous and prevent them. to be delivered to users.
The campaign also uses a new technique of embedding a hashtag, or pound symbol, inside links to mask their harmful nature, Katz said.
“This research shows that attackers create techniques that allow them to make their campaigns much more effective, and even evade certain detections,” Katz said. “And at the same time, they create much more engaging, much more trustworthy campaigns. [looking]putting more effort into the details.”
A Google representative called the phishing campaign “widespread” and “particularly aggressive”.
The spam campaign hitting users’ inboxes is another reminder that online fraud is a major, money-driven industry that continues to evolve. While many users might believe they would see through a scam offering valuable products for free, some people fall for it, or the attackers won’t keep trying.
Consumers in the United States said they lost more than $5.8 billion to fraud in 2021, according to the Federal Trade Commission. Older Americans reported losing more money than younger people, the FTC said.
Although phishing emails such as the Cooler campaign represent only a fraction of this total, the most frequently reported categories of fraud to the FTC include online shopping scams and contest scams.
Behind every fake Yeti cooler email is an entire industry of scammers developing software to make it easier for thieves to try and steal personal information.
The spam industry includes people who write and operate spam software and black markets for stolen credentials like credit cards.
“The adversaries are very money-driven. And they have their own, as we call it, factories and economies. Factories are those factories that create these phishing toolkits and deploy them, and the economies are those who sell or resell and use them in the wild and make money from them,” Katz said.
Phishing toolkits are software that facilitate the administration of spam servers and the sending of e-mails. The toolkit behind these recent attacks was quite sophisticated, and its developers clearly knew and reacted to how security researchers are trying to eradicate spam, according to Akamai.
The kit uses social engineering and several techniques to evade detection tools such as URL scanners or security bots.
The link inside the email, often hidden by a URL shortening service, verifies that the user is based in North America. Then it takes the user through a series of convoluted URLs, automatically redirecting the user to the final scam site so that automated URL checkers cannot flag it as a harmful link.
Nested redirect links also allow the attacker to modify the infrastructure on the fly if parts of it are discovered or disabled. Sometimes the redirects go through a trusted cloud provider, using the reputation of a legitimate web service company to hide the scam.
Additionally, the emails and websites used with the kit are well-designed compared to other phishing campaigns, with high-quality graphics, “customer” testimonials, and illegal use of trademarks and established and trustworthy commercial brands, which increases the risk that it can deceive a victim.
Eventually, corporate security companies discover all new spam techniques, and spam emails are eventually added to blacklists or flagged inside systems as malicious. But the longer it takes for email providers and other infrastructure to respond, the more money the “factories” make in the meantime.
“It’s kind of a cat-and-mouse game,” Katz says.
An example of spam campaign email intercepted by Gmail filter.
Akamai’s research covered a period between September and the end of October, but the campaign apparently continues to send spam, according to social media. Additionally, phishing scams targeting consumers tend to increase during the holiday season, taking advantage of the holiday sentiment and trying to blend in with actual promotions, according to Akamai.
Eventually, this specific campaign will run out of steam. In the meantime, users can protect themselves and their family and friends who might be vulnerable.
First, Katz says, realize that if an offer is too good to be true — a free branded cooler, for example — it probably is.
The second solution is more technical: users must view the details of the email, including its sender and the URL of the website to which the link ultimately takes them. Internet service providers may also offer services that can help prevent scams from happening. (Usually fraudulent emails use a random string of letters for the domain name.)
Brands also need to be careful to prevent scammers from taking advantage of their reputation and harming their customers.
This fall, Dick’s Sporting Goods posted a security alert on its website warning customers about spam scams. “The scammers recently sent emails to a large number of US consumers posing as well-known companies, including DICK’S,” the company said. says on his site.
“DICK’S does not solicit information from our customers in this manner. You should not respond to or follow any links in such a message,” he continued, adding that all official emails would come from from an official Dick domain name.
A representative for Yeti did not immediately comment.
Google said the spam campaign was not limited to retailers, but also imitated shipping companies and government entities. A representative told CNBC that spammers use “another platform’s infrastructure” to create a path for spam, but Gmail currently blocks the vast majority of harmful emails.
“While we see these types of campaigns regularly, this one is particularly aggressive and we expect it to continue at a high pace throughout the holiday season,” the Google spokesperson said. in a press release. “We urge everyone who uses email to continue to exercise caution when opening messages, and Gmail users can take advantage of the report spam feature.”