Over the past few months, Americans have been receiving emails promising them a free Yeti backpack cooler from Dick’s Sporting Goods — a $325 value.
No, you haven’t won a new cooler.
These emails have gotten a lot of attention because they are sometimes able to evade sophisticated spam filters, like those built into Google‘s Gmail, but they are spam emails. They’re designed to get victims to provide their credit card numbers, which will be stolen.
The spam campaign is an example of how scammers are getting increasingly sophisticated at targeting consumers to give up their private information, said Or Katz, principal security researcher at Akamai, which recently published a look into how the recent spam campaign works.
While it’s unclear how exactly the emails get past spam filters, Katz said, this phishing campaign uses several sophisticated techniques, including IP filters, re-directs, and personalized links to evade layers of security software designed to mark phishing emails as harmful and prevent them from being delivered to users.
The campaign also uses a novel technique of embedding a hashtag, or a pound symbol, inside links to obscure their harmful nature, Katz said.
“This research is showing attackers creating techniques that enable them to make their campaigns much more effective, or even evade some detections,” Katz said. “And at the same time they are creating campaigns that are much more engaging, much more trustworthy [looking], putting more effort into the details.”
A Google representative called the phishing campaign “widespread” and “particularly aggressive.”
The spam campaign hitting user inboxes is another reminder that online fraud is a major industry, driven by money, that continues to evolve. While many users might believe they’d see through a scam offering valuable products for free, some people do fall for it, or the attackers wouldn’t continue to try.
Consumers in the U.S. reported losing more than $5.8 billion to fraud in 2021, according to the Federal Trade Commission. Older Americans reported losing more money than younger people, the FTC said.
While phishing emails like the cooler campaign are a fraction of that total, the most commonly reported categories of fraud to the FTC include online shopping scams and sweepstake scams.
How it works
Behind every fake Yeti cooler email is an entire industry of scammers developing software to make it easier for thieves to try and steal personal information..
The spam industry includes people who write and operate spamming software, and black markets for stolen credentials like credit cards.
“Adversaries are very money-driven. And they have their own, as we call it, factories and economies. The factories are those factories that create those phishing toolkits and deploy them, and the economies are those that sell them or resell them and use them in the wild and get money out of that,” Katz said.
Phishing toolkits are software that make it easier to administer spam servers and send emails. The toolkit behind these recent attacks was fairly sophisticated, and its developers evidently knew and reacted to how security researchers try to stamp out spam, according to Akamai.
The kit uses social engineering and several techniques to evade detection tools like URL scanners or security crawlers.
The link inside the email, often hidden with a URL shortening service, checks to make sure the user is based in North America. Then it passes the user through a series of convoluted URLs, automatically redirecting the user to the final scam site, so that automated URL checkers can’t flag it as a harmful link.
The nested redirect links also allow the attacker to change the infrastructure on the fly if parts of it are discovered or deactivated. Sometimes, the redirects go through a trusted cloud provider, using the reputation of a legitimate web services company to obscure the scam.
Plus, the emails and websites used with the kit are well-designed compared to other phishing campaigns, with high-quality graphics, “customer” testimonials, and the illegal use of established, trustworthy brands and trademarks, raising the chance that it could fool a victim.
Eventually, enterprise security companies learn about all new spam techniques, and the spam emails are finally added to blacklists or flagged inside systems as malicious. But the longer it takes for email providers and other infrastructure to respond, the more money the “factories” make in the meantime.
“It’s a cat-and-mouse kind of game,” Katz says.
How to protect yourself
Akamai’s research looked at a period of time between September through the end of October, but the campaign is still apparently sending out spam, according to social media reports. Plus, phishing scams focusing on consumers tend to rise during the holiday season, taking advantage of holiday sentiment and trying to blend in with actual promotions, according to Akamai.
Eventually, this specific campaign will peter out. In the meantime, users can protect themselves and their family and friends who might be vulnerable.
First, Katz says, is to realize that if an offer is too good to be true — a free brand name cooler, for example — it probably is.
The second solution is more technical: Users should look at the details of the email, including its sender and the URL of the website the link ultimately dumps them on. Internet providers may also offer services that can help prevent scams from getting through. (Usually, the scammer emails use a random string of letters for the domain name.)
Brands also have to be careful to prevent scammers from drafting on their reputations and hurting their customers.
This fall, Dick’s Sporting Goods issued a security alert on its website warning its customers about fraudulent spam. “Scammers have recently been sending out emails to large numbers of U.S. consumers posing as well-known companies, including DICK’S,” the company said on its website.
“DICK’S does not solicit information from our customers in this manner. You should not reply to or follow any links contained in such a message,” it continued, adding that all official emails would come from an official Dick’s domain name.
A Yeti representative didn’t immediately have a comment.
Google said that the spam campaign was not limited to retailers but also impersonated shipping companies and government entities. A representative told CNBC that the spammers are using “another platform’s infrastructure” to create a path for the spam, but that Gmail currently blocks the vast majority of the harmful emails.
“While we see these types of campaigns regularly, this one is particularly aggressive and we expect to see it continue at a high rate throughout the holiday season,” the Google spokesperson said in a statement. “We urge anyone who uses email to continue exercising caution when opening messages, and Gmail users can leverage the report spam functionality.”