The Yeti logo appears on the for-sale cooler at the company’s flagship store in Austin, Texas.
Sergio Flores | Bloomberg | Getty Images
For the past few months, Americans have been receiving emails from Dick’s Sporting Goods promising them a free Yeti backpack cooler — a $325 value.
No, you didn’t get a new refrigerator.
These emails have attracted a lot of attention because they can sometimes evade sophisticated spam filters like the ones that come in. Google‘s Gmail, but they are spam emails. They are designed to get victims to provide their credit card numbers to be stolen.
Senior security researcher Or Katz said the spam campaign is an example of how fraudsters are becoming more sophisticated at tricking consumers into giving up their personal information. Akamairecently published an overview of how a spam campaign works.
Katz noted that while it’s not known exactly how the emails got through spam filters, this phishing campaign uses a combination of IP filters, redirects and personalized links to evade layers of security software designed to flag phishing emails as malicious and block them. uses several complex methods. from delivery to users.
The campaign also uses a new technique to embed a hashtag or pound symbol inside links to disguise their malicious nature, Katz said.
“This research shows that attackers are developing techniques that allow them to make their campaigns more effective or even evade some detections,” Katz said. “And at the same time, they create more attractive, more reliable campaigns [looking]put more effort into the details.”
A Google representative called the phishing campaign “widespread” and “particularly aggressive.”
The spam campaign hitting users’ inboxes is a reminder that online fraud is a major money-driven industry that continues to grow. While many users believe they’ll spot a scammer offering valuable products for free, some people fall for it, or the attackers won’t keep trying.
According to the Federal Trade Commission, consumers in the United States reported losing more than $5.8 billion to fraud in 2021. Older Americans reported losing more money than younger Americans, the FTC said.
While phishing emails such as chilling campaigns make up a fraction of that total, the most frequently reported fraud categories to the FTC include online shopping scams and lottery scams.
Here’s how it works
Behind every fake Yeti fridge email is an entire industry of scammers who develop software to make it easier for thieves to steal and steal personal information.
The spam industry includes people who write and run spam programs and black markets for stolen credentials such as credit cards.
“Enemies rely heavily on money. They have what we call their factories and farms. Factories are the factories that create and deploy those phishing kits, and economies are the factories that sell or resell and use them in the wild and make money off of it,” Katz said.
Phishing toolkits are programs that make it easier to control spam servers and send emails. According to Akamai, the toolset behind these latest attacks was quite sophisticated, and its developers no doubt knew and reacted to how security researchers were trying to eliminate spam.
The kit uses social engineering and several methods to evade detection tools such as URL scanners or security scanners.
A link inside the email, often hidden by a URL shortening service, checks to make sure the user is in North America. It then walks the user through a series of twisted URLs, automatically redirecting the user to the final fraudulent site so automated URL checkers cannot flag it as a malicious link.
Embedded redirect links also allow an attacker to immediately modify parts of the infrastructure if it is discovered or disabled. Sometimes the redirects go through a trusted cloud provider using the reputation of a legitimate web services company to hide the scam.
Moreover, the emails and websites used by the kit are well-designed compared to other phishing campaigns, with high-quality graphics, “customer” phrases, and illegal use of established, trusted brands and trademarks. sacrifice
Eventually, corporate security companies learn about all the new spam techniques, and spam emails are eventually added to blacklists or marked as malicious in systems. But the longer it takes for email providers and other infrastructure to respond, the more money the “factories” make in the meantime.
“It’s a cat-and-mouse game,” says Katz.
How to protect yourself
Example of an email from a spam campaign caught by the Gmail filter.
Akamai’s study looked at a period from September to the end of October, but according to social media data, the campaign was still spamming. In addition, according to Akamai, phishing scams targeting consumers tend to increase during the holiday season, taking advantage of the holiday spirit and trying to mix in actual promotions.
Eventually, this particular campaign will disappear. In the meantime, users can protect themselves and their family and friends who may be vulnerable.
First, Katz says, if an offer sounds too good to be true—for example, a free brand-name refrigerator—it’s probably a good idea to realize it.
The second solution is more technical: Users should look at the details of the email, including the sender and the URL of the website the link dropped them to. ISPs may also offer services that can help prevent scams from getting through. (Typically, scam emails use a random string of letters for the domain name.)
Brands must also be careful to prevent fraudsters from working on their reputation and harming their customers.
This fall, Dick’s Sporting Goods posted a security alert on its website warning customers about fraudulent spam. “Fraudsters have recently been sending emails to a large number of US consumers posing as reputable companies, including DICK’s,” the company said on its website.
“DICK’S does not solicit information from our customers in this way. You should not respond to or follow any links contained in such a message,” it continued, adding that all official emails would come from the official Dick’s domain name.
A representative for Yeti did not immediately comment.
Google said the spam campaign was not limited to retailers, but also represented shipping companies and government agencies. Spammers use “another platform’s infrastructure” to create a path for spam, but Gmail currently blocks the vast majority of malicious emails, a representative told CNBC.
“While we see these types of campaigns on a regular basis, this one is particularly aggressive and we expect it to continue at a high pace throughout the holiday season,” a Google spokesperson said. “We urge everyone who uses email to continue to exercise caution when opening messages, and Gmail users can use the spam notification feature.”