Spamalanche

Today, someone tried to pull a scam on me, and it had some notable approaches I haven't seen or heard about before so I figure I'll write it up in case someone else someday is searching for a strange bunch of behaviors that hit their credit cards and their inboxes at the same time.

Here's a timeline from this morning

At 10:32AM my phone starts blowing up with new message alerts from Gmail. I have almost all app notifications turned off, so when stuff gets in and it's suddenly 10 then 20 then 40 new items within the span of a minute, I knew something was up. But I was driving home from running an errand and couldn't jump on my phone until I pulled into my driveway.

At 10:35AM (unbeknownst to me) a successful charge is run at BestBuy in Clackamas, Oregon for a new $499 iPad. The order doesn't appear to be done at a physical register, instead I believe it was an online order. I believe someone in the Portland area had my (correct) current credit card number. I don't know if that's from a vendor I've used before with a crappy employee scamming customers as a side hustle, or if it's just a coincidence.

Also at 10:35AM I pull into my driveway and read all the notifications on my phone.

At 10:36AM my Apple Card auto flagged and denied another +$400 charge at BestBuy, which immediately sends me to my inbox to look up "BestBuy" in any email while I also text my family to make sure they didn't make the charges (they're on the family account). By 10:36AM, I had about 250+ emails that appear to be someone signing me up for Mailman mailing lists (mainly at universities with low-to-no IT oversight) and many online accounts from Central and South American brands as well as places like Reddit.

A simple search for "BestBuy" immediately pointed me to the smoking gun:

At 10:37AM, I started a chat with Apple Card support via Goldman Sachs. We froze my old number and issued a new one. We flagged and denied the 2nd charge and I disputed the first.

Then I realized from my email, there was a giant CANCEL THIS ORDER button so I went ahead and clicked it to end the transaction and issue an immediate refund.

So how'd they do this?

I believe someone had my working credit card number, then either used a quick spammy script or paid a service to sign me up to several hundred services at once, so that my inbox would be completely inundated with mail to the point that I'd miss a Best Buy email among all of them.

Honestly, if it wasn't for the 2nd bounced charge alert from my credit card, I would have missed this for hours to possibly days before I found the strange charge. Maybe that's enough time to get away with the crime?

The attackers also (ab)used the feature in Gmail that lets you send email to example+anything-else-you-type-here@gmail.com to appear as unique email addresses. I have something like 40 signups to Reddit with garbage email addresses like mathowie+hexcode-junk at gmail dot com and garbage generated usernames.

Here's what my mobile inbox looked like at the time this was taking place:

and here's what my Spam folder in Gmail looked like with all the Mailman signups:

The auto-email signups continued until 12:13PM, then stopped. But luckily I caught the entire process within five minutes of it taking place, so I'm not out any money, and my Apple Card got a completely new number and I guess that means I get to update subscriptions that bounce for the next couple months to the new account.

None of the new accounts or email lists I was added to went through since you have to click a link in each email to confirm you want to start your memberships, so I'm leaving them all in my spam and trash where they will soon be gone forever.

Honestly, I wonder if Clackamas police could have grabbed someone claiming to be me at that specific BestBuy trying to pick up an iPad today, but I didn't feel like trying to explain this all to local cops (given how clueless they've been to other online attacks directed at me) so I let it go.

Hopefully this is a lesson to anyone reading this. If you spot some weird-ass email activity all of a sudden on your accounts, be sure to check your credit cards for any suspect recent purchases, because I believe the two events were linked and someone was trying to hide their actions in my crowded inbox via a "spamouflage" attack as Jim coined it, or "spamalanche" as I'm calling it.