Congratulations: You’ve been chosen for a Yeti Hopper M20 Cooler. You’ve been chosen many, many times. It’s right there, in your inbox.
The email is from Dick’s Sporting Goods. Never mind that it reads as Dicks Sporting Goods, minus the apostrophe, or Dicks SportingGoods, or Dicks SPORTING Goods. Search for “Dicks” in your Gmail and you’ll find it. Search for “Dicks” on Twitter and—well, something else might come up. But then you’ll see them, the complaints from people who, like you, have been getting incessant emails from “Dick’s Sporting Goods” about the Yeti Hopper M20. The emails urge the receipts to click the link and claim their prize.
You should not click on any part of this email. The Dick’s Sporting Goods/Yeti Hopper Cooler contest isn’t legitimate, and it does not originate from the sporting goods brand. It’s a phishing scam, something that most of us have encountered at some point in our online lives.
But it’s an especially pernicious form of spam, one that has circumvented some of Google’s robust anti-spam tools for Gmail. Google has acknowledged that this spam campaign is “particularly aggressive.” A security research firm that has been closely tracking this latest batch of spam told WIRED that the techniques being used are fairly novel, and point to a future in which more email spam could slip past even the most sophisticated anti-fraud systems.
“We train [machine learning] models to look at all of the different elements of an email and decompose it, and for a brief period of time, that actually worked well in stopping spam,” says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, a US-based security firm. “But unfortunately, there are some effective ways to get around that. What’s happening now is, all the fancy machine-learning models just don’t see where the ‘bad stuff’ is in the emails, because of some clever redirection.”
People who liberally use the Report Spam & Unsubscribe tool in Gmail might think that would put an end to the Yeti cooler emails; mark an email as spam enough times, and eventually it will go away. That hasn’t worked in this case. Justin Watkins, a popular YouTuber, tweeted in frustration about this back in September, begging Google to fine-tune its filters and send the Yeti Hopper emails to spam after receiving the emails for several consecutive months. “It’s a cat-and-mouse thing,” Watkins tells me. “I’ll mark it as spam and it’ll, like, disappear for a week, and then I’ll get two or three a day again.”
What the email spammers are doing now, according to Kalember, is creating a scheme where machine-learning models “don’t actually get to the point where they see the bad stuff in the email.” They’re using what he calls an HTML anchor technique, which is relatively rare. This differs from the old-school, well-worn ways for scammers to slip past spam filters, which might include rotating which cloud hosting service they’re using, or creating a URL redirect, where the person opening the email clicks on the link and is redirected to several other places on the web before they land on the malicious site. The new spam campaign relies on something more interesting, says Kalember. (Assuming you find email spam “interesting” and not infuriating.)