The attackers also (ab)used the feature in Gmail that lets you send email to example+anything-else-you-type-here@gmail.com to appear as unique email addresses.

Geez. I often wonder how much scamspam would be mitigated (or, at least, more easily filtered) if Gmail just didn’t allow so much “flexibility.”
posted by Thorzdad at 3:33 AM on December 13 [6 favorites]

I have the greatest respect for our former Fearless Leader, but "spamouflage" is objectively a better name for this attack pattern than "spamalanche".
posted by flabdablet at 3:37 AM on December 13 [13 favorites]

"Spamouflage" also fits better into the folio for my Beastie Boys musical.
posted by 1adam12 at 4:33 AM on December 13 [9 favorites]

This happened to me a few months ago, with the email address I use for my tiny artsy side hustle. Buried in dozens of spam messages was a receipt for the purchase of a mattress. The thieves even had my correct cell phone number, which the company used a few days later to try to confirm delivery. When I told them it was a fraudulent charge and I had notified the credit card company, they were very nice, cancelled the order and said they would cooperate with the investigation. Ridding myself of the many mailing lists I was signed up for has been more of a pain than the fraud itself.
posted by Sweetie Darling at 4:52 AM on December 13 [2 favorites]

Midway through writing the below, I realized there's an alternative theory that makes a lot more sense and covers several objections. I'd venture the scamster didn't have mathowie's card number, just their Best Buy login credentials, and that the card was a saved method of payment on the account. If they wanted to make use of that information, they were pretty much limited to running their scam at Best Buy through either pickup or delivery to a safe drop address. That said, it's still a pretty dumb way to do it, because the smart first step, instead of inundating the owner's email account in spam, is to simply change the owner's email address.

But as written, this seem to me like it doesn't make a lot of sense as a scam. That's not to say it didn't happen, and that mathowie's interpretation of it isn't correct, but only because scammers are as dumb as the rest of us and sometimes they do stupid things. The tl;dri version of my take on this is that, if you have someone's credit card number, this particular scam seems like far more risk and effort (for very little reward) than more straightforward ways of abusing that information. Specifically:

• $500 worth of goods (or $900 with the second purchase) is a pretty small charge for anything but a trial balloon to see if it's denied. And if it's a trial balloon before the big charge, making the owner's mailbox blow up is the last thing you want to do, because they'll know something is weird and limit the time you have to run wild.
• In-person pickup (from a store which likely has surveillance everywhere!) is an insanely risky way to do credit-card fraud. If it goes south before the pickup, you're right there with no deniability at all. mathowie didn't trust the police or Best Buy to give a rat's ass, and he was probably right, but it's still a hell of a personal risk for a fraudster (or their associate, if they're dispatching some dupe for the actual pickup) to take.
• The email camouflage doesn't make much sense at all, honestly. If you don't want a Best Buy receipt sent to the owner of the account, why not make a new account or sign out with a guest account? For that matter, wouldn't they need the login credentials to even make a purchase on the account? This is why my alternative theory above makes more sense. I'm pretty sure they don't restrict each payment method to a single account. Or if they do, why not use some retailer where the card-owner doesn't have an account?

posted by jackbishop at 5:03 AM on December 13 [3 favorites]

For newer people: Matt is the founder of Metafilter.
posted by Melismata at 6:31 AM on December 13 [10 favorites]

Geez. I often wonder how much scamspam would be mitigated (or, at least, more easily filtered) if Gmail just didn’t allow so much “flexibility.”

Strictly speaking this is not a Gmail feature so much as an SMTP addressing feature that GMail supports. The specification supports things pretty much only people who have worked in the email-server space even realize are possible. Basically, if you think you’ve written a regular expression to validate email addresses, you most certainly haven’t. I’ve seen an allegedly complete one once, and all it does is demonstrate why no sane person would ever do it that way.
posted by gelfin at 6:42 AM on December 13 [6 favorites]

I've seen this as part of a larger attack on one of our clients at the last MSP I worked for. It began with a phone call from someone pretending to be their bank directing their accountant to a fake sign-in page. One they were able to get into the company's bank account, they initiated some large ACH transactions. Meanwhile, every company address they could find was signed up to services that flooded with them spam, and they started a DDOS attack (which their ISP was very reluctant to do anything about or even acknowledge that it was happening). It was hard to contain how impressed we were by how coordinated the attack was. In the end, they made off with quite a bit of money.
posted by The Great Big Mulp at 7:49 AM on December 13 [4 favorites]

This happened to me earlier this year! It was about 2 in the morning, I woke up to my phone blowing up with text and email alerts. I was groggy and confused, but luckily I did notice an early message from my bank asking me to confirm a suspicious charge. It was for airline tickets I believe, which seems a risky purchase for a scammer? I denied the charge, and spent the next few sleepless hours monitoring the deluge of "thanks for signing up!" emails for any other suspicious charges, and wondering if it would ever stop or I'd have to go through the pain of changing my phone number and email. Luckily no real harm was done (thanks, USAA!) and the biggest pain, as Sweetie Darling mentioned, was unsubscribing from all of the lists over the next week or two.
posted by Roommate at 8:13 AM on December 13 [3 favorites]

I use the + feature of Gmail all the time, especially for testing, so I would be sad if it went away (plus it would break a huge amount of legacy stuff.)
posted by tavella at 9:33 AM on December 13 [4 favorites]

(The fact that Gmail strips or ignores dots is also super useful if you've ever had a sign up for something fail partway through - if I couldn't start over with my.emailaddress@gmail when it insists that a (broken) account is already associated with myemailaddress@gmail, I'd have to get another email address for that use, and that just sucks.
posted by Dysk at 9:50 AM on December 13 [3 favorites]

That said, it's still a pretty dumb way to do it, because the smart first step, instead of inundating the owner's email account in spam, is to simply change the owner's email address.

Haven't tested it, but I wouldn't be surprised if changing the owner's email address prompted either (a) increased temporary security measures or (b) at the very least, an email to the original address "notifying" the user that the address had been changed. You'd want to drown that out with spam, also.

In-person pick up at Best Buy also requires a matching photo ID, so perhaps this was a trial balloon. (I was always skeptical about this "trial balloon" analysis but the one and only time I had a credit card compromised they did take that approach.)
posted by praemunire at 11:34 AM on December 13 [1 favorite]

It began with a phone call from someone pretending to be their bank directing their accountant to a fake sign-in page

If I ever found out that my accountant had ever made use of a phone number or URL or email address or mailing address or any kind of contact supplied to them by a cold caller rather than insisting on the use of publicly discoverable contacts under those circumstances, I'd find a new accountant. Fuck's sake.
posted by flabdablet at 11:56 AM on December 13 [5 favorites]

In-person pickup (from a store which likely has surveillance everywhere!) is an insanely risky way to do credit-card fraud.

Oohhhh, that reminds me ... If you have not yet seen the indie movie Emily The Criminal, it's worth the watch, for the insight into that world and for generally being a good movie.
posted by intermod at 2:44 PM on December 13 [2 favorites]

You are not currently logged in. Log in or create a new account to post comments.