Email lists used for spam and phishing campaigns are sourced from a variety of locations, with each source having its unique method of acquisition and challenges associated with them. These lists, often comprising of thousands or even millions of email addresses, provide the essential contacts for phishing expeditions.
The DarkWeb
The most apparent source of these email lists is through data dumps from previous security breaches, which are often found on the DarkWeb. The DarkWeb, a part of the internet not indexed by search engines and accessible only with special software, is a haven for cybercriminals. After successful breaches of a website or company’s database, data is either sold or just dumped on this part of the web. This data typically includes names, email addresses, passwords, and other sensitive personal information, which can be used for spamming or phishing purposes.
Social Media & Public Info
Apart from the DarkWeb, another primary source includes social media platforms, where people often publicly share their contact information. Enterprising users can often manually scrape these sites or use automated scraping bots to compile extensive lists of email addresses.
Scraping can even be accomplished with a browser extension see Email Extractor (chrome).
Harvesting
Harvesting involves setting-up fake websites or landing pages that appear legitimate but are designed solely to capture email addresses from unsuspecting visitors.
Online gaming sites and registration forms for various online services are common places where individuals inadvertently offer up their email addresses or use OAuth to pass identity and contact scopes to the authorized application.
‘app_id’ => ‘{app-id}’,
‘app_secret’ => ‘{app-secret}’,
‘default_graph_version’ => ‘v3.2’,
]);
$response = $fb->get(‘/me?fields=email’, ‘{access-token}’);
Sample OAuth that pulls email address scope
Some unscrupulous social networks or websites may sell their customer’s information to third parties, which may end up in the hands of spammers and phishers.
Volunteer to be Phished
Some individuals willingly or unknowingly volunteer their email addresses for phishing or spam campaigns. Simulated phishing campaigns staged by your organization’s information security office are a common awareness & training tactic. In other cases, people might willingly sign up for services or newsletters without thoroughly understanding how their email addresses will be used.
See our list of phishing services.
Buying Email Lists
For those looking for a more straightforward approach, email lists can be purchased from various sources. These sources may include marketing agencies, data brokers (e.g. B2B directories), or shady online marketplaces. While buying email lists might seem like a convenient shortcut for spammers, it comes with significant challenges. Most notably, the practice often violates regulations such as the CAN-SPAM Act in the United States and similar laws worldwide. Furthermore, purchased lists may contain outdated or inaccurate information, resulting in a low success rate for phishing campaigns.
What’s next?
Related Topics
Next Topic