Interview with an email bombing expert

in #hacking5 years ago (edited)

I'm currently working on a research project where I examine various aspects of cyber crime and cyber security. I've been looking at some of the most popular attacks which target websites and the economies that support those attacks.

One of the most common attacks is called credential stuffing. This is where a leaked email/password combination list is used in conjunction with a program like OpenBullet to find valid combinations for specific sites. Anything from Netflix, McDonalds, to more niche sites like Chegg (a tutoring site), essentially any site that there is a demand for.

Screenshot from 2019-10-23 18-45-39.png

I hope to compile my research into a short book on the topic. To get alerted to when it's released be sure to follow my Amazon author page.

As part of the economy of "cashing out" these valid account lists, another common attack as been developed called "email bombing". The definition from Wikipedia is as follows:

In Internet usage, an email bomb is a form of net abuse consisting of sending large volumes of email to an address in an attempt to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack (DoS attack) or as a smoke screen to distract the attention from an important email messages indicating a security breach.

As a small step in the part of a long research process I met online with an grey-market entrepreneur who goes by the name Placing. She has developed a software subscription which provides email-bombing as a service called Cobain. Recently she broke $2000/month profit by providing an alternative to the most popular email bombing service Flood CRM.

Screenshot from 2019-10-23 20-53-08.png

In exchange for her taking the time to speak with me I agreed to promote her service on my blog here. I don't condone the use of email bombing but I will make the information available as part of my research and hopefully in my eventual book. The ad she provided me is as follows:

Are You Sick Of Your Walmart, Stockx, Or Some Order With A Cracked Account Getting Cancelled?
Worry No Longer!
Cobain Email Bomber v3 And Cobain SMS Bomber v1 Are Available Now!
https://buycobain.com For BTC Purchases
https://buycobain.com/paypal.html For PayPal Purchases
DM Me (@ImPlacing) For Cashapp Purchases
Once You Order Leave Your Email Or TXID And Shes Will Fufill The Order When Shes Awake.

Now on to the interview.


Philip: Can you explain exactly what the software does for those who might not be familiar?

Placing: Essentially It Uses The Gmail Mailing servers to flood inboxes with emails at a much higher rate than competitors

Philip: Without doxxing yourself can you give any background on your age or demographics?

Philip: If not that is ok too

Placing: uh mixed race high schooler

Philip: Do you consider yourself a hacker?

Placing: nope

Philip: but you're familiar with tools like openbullet and even created your own email bombing software, which you sell as a subscription service?

Placing: just a coder

Philip: how long have you been coding?

Placing: 3 years

Philip: what initially got you interested?

Placing: uh idk i thought it was cool

Philip: Do you remember your first project or language?

Placing: skype tool in c#

Philip: what did it do?

Placing: spam calls auto respond etc

Philip: nice haha

Philip: so I guess it's safe to say you've always been attracted to "the dark side"

Placing: eh not really

Philip: how long did it take before you started trying to make a profit from your skills?

Philip: Is Conbain email bomber your first venture in that sense?

Placing: not really but its the first success

Philip: What else have you tried?

Philip: Also (whenever you find time)

- What gave you the idea for Cobain email bomber?
- Has your userbase been growing with time?

Placing: making sqli queries aka dorks
vpn clients
much more

people hated floodcrm.net
yes ive made almost 2k this month

Placing: at 16

Philip: Wow, that's quite a bit. How long did it to work your way up to $2000/month in subscriptions/purchases?

Placing: actually this is the first month😌

Placing: first purchase was made on 9/24/19

Philip: Congratulations

Placing: Thanks!

Philip: So you've been working on Cobain for over a year now?

Philip: Did you always have the plan for a subscription model? Or did you create it for personal use originally?

Placing: took me about 1-2 weeks if that

Placing: im not sure if it was 100% planned originally but it has been a part of the development since very early on

Screenshot from 2019-10-23 21-14-39.png

Philip: can you cover some of the common motivations people have for email bombing?

Placing: Messing With Friends, Removing Traces Of Activity WIth Accounts Linked To The email

Philip: By removing traces you mean flooding someone's email at the same time someone uses an account attached to their email right? So if someone uses my Pizza Hut account to redeem a free pizza and I get an email I might miss it because I got 50 other emails.

Placing: well in this case its way more than 50

Philip: How many emails would I get hit with if you targetted me with Cobain?

Placing: depends on the accounts 5 accounts can send around 300-400

Philip: oh wow, so 300-400 emails from only 5 different email addresses?

Placing: yess

Philip: From what I've read the other main competitor is Flood CRM, can you compare Cobain to Flood CRM?

Philip: Flood CRM is like pay-as-you-go, where as Cobain is like all you can eat buffet kind of thing?

Placing: floodcrm is overpriced and inconsistant

Philip: what do you mean by inconsistant?

Placing: in sending the emails u paid for

Philip: How many email bombs would you have to use to save money by using Cobain instead?

Placing: not that many as 7.50 for 1000 emails is standard with floodcrm and some have reported less than 10% of return

Philip: ouch, and you mentioned 300-400 emails with 5 gmail accounts. One problem I imagine you might have with that, wouldn't the reciever just have to "mark as spam" 5 different times to clear their box?

Philip: What is the maximum amount of accounts you could send from?

Placing: nope and 50

Philip: 50 accounts that's pretty good, I imagine you'd be able to send well over 1000 emails to a target if you loaded Cobain with 50 accounts.

Philip: Do you have any last tips for people who want to get started with email bombing?

Placing: way over 1000

Placing: buy my bomber ;)

Philip: Of course! But anything beyond that? For example should people switch out the accounts every so often in case they get marked as spam?

Placing: gmail has sending limits per time limit so they need to make burners

Philip: So if I do a massive email bombing with 50 gmail accounts, is it good enough to come back a few days later or will those accounts be dead?

Placing: they wont be dead

Philip: thanks for your time


Email bombing only plays a small role in the larger underground economy as a service which mainly assists to provide cover for an undoing account breach. According to the four categories of cyber crime outlined by Professor David Wall it would be classified as a type of cyber violence. Below is it's placement in a mind-map I'll release with the full report which outlines some aspects of the four types.

Screenshot from 2019-10-23 21-24-46.png

Be sure to follow me here on Steemit and on my Amazon author page for updates as to the release of the full report.

Sort:  

Interesting. There are so many things that can be done that I would never think of :) It would never cross my mind to use the email bombing on my friends (or anyone else to be honest)

Great interview! At least I understand a bit more on this topic!

Have a good day and I wish you all the best with your book :)

Wow, really. The interview is very interesting. A very informative, well documented and structured publication. Thanks for the alerts. There are situations in the emails that I would never do! A cordial greeting @kirkins

Hi kirkins,

This post has been upvoted by the Curie community curation project and associated vote trail as exceptional content (human curated and reviewed). Have a great day :)

Visit curiesteem.com or join the Curie Discord community to learn more.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

Hi, thanks for the post! I have included it in my daily Science and technology digest, and you'll receive a 10% share of that post's rewards.

Hello Hello!

I think I've never read an article like this, I found it very interesting, out of the ordinary ...

Greetings from Venezuela!