Email is often used for confirming online requests or purchases, which consumers want.
And as a "reward" for their patronage the service provider or retailer then adds the email address to their marketing database and sends additional, unsolicited emails to the new customer.
Service providers may also sell their email list to other companies or trade them with business partners, resulting in even more unsolicited emails.
The consumer has struck back.
These business practices have spawned a new category of email called disposable email addresses (DEAs), which consumers increasingly use to avoid unwanted email.
How disposable email works
When completing an online order, instead of using their established email address, consumers use a temporary, one-time-use DEA. The mailbox is created automatically when mail is received so that all that's needed to retrieve the email to confirm the online order or request is knowledge of the email address itself.
Another characteristic of DEAs is that, because they're immediate and disposable, the service provider doesn't require any registration process. When requesting a Gmail account, for example, the requestor must enter his or her name, birthday, gender, mobile phone number, location, and an existing legitimate email address. Some providers also capture system information that can be used to identify account holders.
For legitimate consumers, this typically is not a problem. But the fraudster wants to leave as few tracks as possible.
There are scores of services offering Disposable Email Addresses--search for the term on Google and you'll even see a Wikipedia page. While all of these services are legitimate and upstanding businesses, they get abused. The ones that have been observed most often as being used by fraudsters are listed below, any of which can use multiple extensions, such as .com, .net, .org, .us, and others:
• gmx *
While gmx technically is not a DEA service provider, this service frequently is used by spammers and fraudsters.
How fraudsters are using DEAs
Fraudsters, as is their nature, have found a way to use this legitimate service for their advantage.
Fraudsters are using DEAs to divert email alerts in a way that makes it harder for financial institutions and law enforcement to track them. Using DEAs is an alternative to compromising the victim's legitimate email account; simplifying fraud schemes that require the fraudster to have control over email alerts, such as changing a phone number used for out of band authentication; requesting a wire transfer; or adding a new user to a business banking account.
Here's how a typical attack that uses such an email address might unfold:
1. Researching bank practices.
The fraudster researches a financial institution's policies and procedures to learn the types of transactions and activities that are confirmed by the account holder via email.
2. Buying damaged goods.
The fraudster compromises an online account through any one of a number of schemes designed to capture login credentials such as phishing, data breaches, key logger malware, or simply purchasing credentials from another cyber criminal.
3. Swapping out the emails.
The fraudster logs in and successfully authenticates, then changes the email address associated with the victim's account to a disposable email address. Typically the new email address is one that would not look suspicious, such as changing <victim_name>@yahoo.com to <victim_name>@mailinator.com.
4. Gaming the system.
The fraudster initiates a transaction, such as a wire transfer, that generates a confirmation email.
5. Closing the (phony) loop.
The fraudster receives and responds to the confirmation email, authorizing the financial institution to process the fraudulent payment.
6. Email? What email?
After some period of inactivity, the DEA automatically is erased by the service provider, removing all traces of the email activity.
Observations and trends
As an indicator of the growing popularity of DEAs, Guardian Analytics Fraud Intelligence analyzed all confirmed fraud cases that involved a changed email address. Of these, 30% used a disposable email address. So, this is a widespread and prevalent scheme.
While the above scenario is typical for how DEAs are used, it is not the only possible scheme. Guardian Analytics has observed cases where fraudsters use DEAs any time they want to intercept an alert email, such as when a new payee is added to a bill pay account or there's a change to the phone number or other profile information.
Some financial institutions' systems trigger an alert to the original email address when a new email address is entered, alerting the account holder to the change. However, these typically are alerts that don't require any action to be taken by the account holder to confirm the change, and many account holders ignore these alerts or may not see them until after the fraudster has completed the attack.
Another benefit to the fraudsters is that they can forward DEAs to their own, primary email addresses, which enables them to manage all of this disposable email traffic in one place while keeping their own addresses hidden. This aspect of the scheme also reinforces the decision to use the account holder's name in the DEA as it helps the fraudsters to easily identify the accounts that are associated with each incoming email.
Prevention tips: How to detect attacks that use DEAs
- Financial institutions must pay close attention for any changes to email addresses, which account holders typically change very infrequently.
Whenever an email address is changed, look for other suspicious activity that could be part of pre-attack reconnaissance or setting up a fraudulent transaction.
In particular watch for the use of any disposable email address. It is highly unlikely, therefore highly suspicious, for account holders to use DEAs for their online banking account. For a list of DEA service providers (which changes frequently), go to https://gist.github.com/adamloving/4401361.
To learn more about DEAs in general (not just as a tool for fraudsters), there's a good overview on Wikipedia. http://en.wikipedia.org/wiki/Disposable_email_address.
About the author
Chris Silveira is an information security and computer forensics professional with over 14 years of experience and deep expertise in detecting and preventing malware and online fraud. Prior to Guardian Analytics, Chris worked for Silicon Valley Bank where he created and managed the Computer Security Incident Response Team to minimize losses in the online channel. Before moving into the financial services industry, he spent ten years at Electronic Arts where he was responsible for information security, incident response, and computer forensics. Chris has a BS degree in Computer Science from Notre Dame de Namur University and a master's degree in Information Assurance from Norwich University.