Hackers are weaponizing legitimate sign-up forms to flood their victims’ inboxes with hundreds of automated emails. This helps hide the actual attack, such as ordering a new credit card or committing a fraudulent transaction, in the noise.
Website owners report suspicious activity that bypasses common defense techniques, such as rate limiting or IP blocking.
Jye Cusch, a software engineer and co-founder at Nitric.io, noticed that strange new user accounts were being created on their website.
“New users were signing up but not doing anything – they weren’t creating an org, a project, or a deployment, they just left an account sitting there,” the blogger writes in a post detailing how sign-up forms are being turned into weapons.
The email addresses are legitimate. However, user names are totally random, like “PfVQXvYTXjwSbEeJBjXYy.”
It started with just a few unusual sign-ups each day, which can easily go unnoticed or fail to ring any alarm bells.
“Honestly, our first thought was that someone was pen testing our service,” Cusch said.
However, the expert quickly noted a strange pattern. After each bot account is created, it waits about 60 seconds, then heads to the forgot password page to try to reset it.
This meant that each email address would receive three emails in under a minute, one for verifying the email address, one welcoming for joining, and another one for resetting the password.
The blogger suspects a subscription bombing – a type of attack where hackers use bots to sign up their victim’s email across hundreds or thousands of unwanted services. The intention is to flood the victim's inbox with so much noise that they can’t notice the important email.
“You wake up to 200 emails from services you've never heard of. By the time you realize something is wrong, a hacker has already ordered a credit card in your name – hiding the confirmation in the noise,” Cusch writes.
The expert believes that thousands of services online are silently abused by attackers. Common defenses are toothless. Rate limiting wouldn’t catch one or even fewer requests every hour. Each of the “visitors” uses a different IP address, so blocking also isn’t a solution.
“The requests came from all over (India, Brazil, Romania, the US, Vietnam, Türkiye), which isn’t unusual until you compare it to typical traffic.”
Even after tightening firewall rules, half of the requests still slipped through. The developer says that Cloudflare’s Turnstile antibot solution fixed it – it’s a CAPTCHA alternative that doesn’t ask users to solve puzzles but rather analyzes browser signals.
“We could have looked at 1-2 sign-ups per hour and shrugged, since the business impact to us was basically zero. But those were real people’s email addresses, and our service was being used against them,” the developer noted.
The Hacker News community picked up the story and reported many similar attempts by attackers to exploit legitimate features.
Bots are checking credit cards to see which go through
Tech pros share similar stories.
“We suffered a different kind of subscription bombing: a hacker using our “change credit card” form to “clean” a list of thousands of credit cards to see which ones would go through and approve transactions,” pasted the forum user using an alias “pqdbr.”
In this case, attackers began the activity at midnight, when no human was watching, rotating IPs with every request.
“We had Cloudflare Turnstile installed in both the sign-up form and in all credit card forms. All requests were validated by Turnstile. We were running with the ‘invisible’ setting, and switched back to the 'recommended' setting after the incident, so I don't know if this less strict setting was to blame,” the user said.
Overnight, the hacker exploited the unprotected payment form to test roughly 2,000 stolen credit cards. Ten percent of them were valid – each was charged and refunded $1 as confirmation. The user was worried that payment processors might ban them for allowing this activity.
“As a newsletter company, we've dealt with this for over a decade now, since we do the right thing and do double opt-in, which involves sending the subscriber an email on signup,” another user said, sharing their experience with subscription bombing attacks.
They agreed that Turnstile is a reasonable solution and also suggested looking for the “webdriver” flag that the automated browsers often set, and most bots don’t bother hiding.
“Adding more steps, honeypots (with an immediate short-term IP ban), etc., also have an impact. It becomes a game of piling up numerous defenses in a sort of Swiss cheese model,” the user said
Other users refused to use big tech solutions and suggested other creative defenses.
“Any sufficiently advanced bot can get around any CAPTCHA anyway. We solved this at our startup by running names through a simple LLM filter – if the name is gibberish, like Px2846skxojw, it just blocks the signup. Worked surprisingly well,” one user suggested.
The victims of these attacks also joined the conversation. One user told their story.
“I got signed up to probably 700 newsletters overnight. In the middle of all of the sign-ups, there was activity on my Airbnb account where my notification settings were changed,” chw9e writes.
“When I checked my Airbnb, I noticed that someone had created a fake listing under my account and disabled booking notifications for it. A real multi-layer scam where the hacker would be making money off a fake listing on someone else’s account, who would probably never even realize it.”
Site owners are warning other web admins to check and protect their sign-up forms and add additional verification. While most site owners may not suffer any harm from this silent activity, the damage is disproportionately severe for the victims. Cybercriminals have been using subscription bombing as a service for years, and attacks are highly automated.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked