No, You Haven’t Won a Yeti Cooler From Dick’s Sporting Goods

The future of email spam utilizes a coding trick that evades the most sophisticated detection tools.
Illustration depicting a hand coming out of a mailbox holding envelopes that are on fire.
Illustration: Yazmin Monet Butcher; Getty Images

Congratulations: You’ve been chosen for a Yeti Hopper M20 Cooler. You’ve been chosen many, many times. It’s right there, in your inbox. 

The email is from Dick’s Sporting Goods. Never mind that it reads as Dicks Sporting Goods, minus the apostrophe, or Dicks SportingGoods, or Dicks SPORTING Goods. Search for “Dicks” in your Gmail and you’ll find it. Search for “Dicks” on Twitter and—well, something else might come up. But then you’ll see them, the complaints from people who, like you, have been getting incessant emails from “Dick’s Sporting Goods” about the Yeti Hopper M20. The emails urge the recipient to click the link and claim their prize.

You should not click on any part of this email. The Dick’s Sporting Goods/Yeti Hopper Cooler contest isn’t legitimate, and it does not originate from the sporting goods brand. It’s a phishing scam, something that most of us have encountered at some point in our online lives. 

But it’s an especially pernicious form of spam, one that has circumvented some of Google’s robust anti-spam tools for Gmail. Google has acknowledged that this spam campaign is “particularly aggressive.” A security research firm that has been closely tracking this latest batch of spam told WIRED that the techniques being used are fairly novel, and point to a future in which more email spam could slip past even the most sophisticated anti-fraud systems. 

“We train [machine learning] models to look at all of the different elements of an email and decompose it, and for a brief period of time, that actually worked well in stopping spam,” says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, a US-based security firm. “But unfortunately, there are some effective ways to get around that. What’s happening now is, all the fancy machine-learning models just don’t see where the ‘bad stuff’ is in the emails, because of some clever redirection.” 

People who liberally use the Report Spam & Unsubscribe tool in Gmail might think that would put an end to the Yeti cooler emails; mark an email as spam enough times, and eventually it will go away. That hasn’t worked in this case. Justin Watkins, a popular YouTuber, tweeted in frustration about this back in September, begging Google to fine-tune its filters and send the Yeti Hopper emails to spam after receiving the emails for several consecutive months. “It’s a cat-and-mouse thing,” Watkins tells me. “I’ll mark it as spam and it’ll, like, disappear for a week, and then I’ll get two or three a day again.” 

What the email spammers are doing now, according to Kalember, is creating a scheme where machine-learning models “don’t actually get to the point where they see the bad stuff in the email.” They’re using what he calls an HTML anchor technique, which is relatively rare. This differs from the old-school, well-worn ways for scammers to slip past spam filters, which might include rotating which cloud hosting service they’re using, or creating a URL redirect, where the person opening the email clicks on the link and is redirected to several other places on the web before they land on the malicious site. The new spam campaign relies on something more interesting, says Kalember. (Assuming you find email spam “interesting” and not infuriating.)

HTML code makes frequent use of anchor tags that make specific spots within a page linkable. Think of these tags like bookmarks on a webpage; click on a link to an anchor tag and you’ll instantly jump to a different part of a multi-section page without having to scroll at all. These tags typically start with a hash symbol (#). In these Dick’s Sporting Goods spam emails that urge people to click on links, the spammers are using the code that comes after the hash to run a snippet of JavaScript and program the page dynamically, and then guide people to the phishing page. It’s a clever technique that uses a part of the email’s URL that many security tools typically don’t analyze, Kalember says. 

Basically, an automated machine-learning tool won’t pick up on what’s bad about the email if it hasn’t been trained to pick up on the code that comes after the hash. “It’s a little Rube Goldberg, but this is what we’re seeing attackers of all stripes using,” Kalember says. “They’re hiding what we call ‘the payload’ behind something that a human can find very easily in an email but a detection technique finds impossibly hard.” It also doesn’t help that spammers and cybercriminals no longer need to set up their own janky phishing sites. In some cases they’ll use architecture provided by the big cloud companies, like Amazon and Google—which sends the signal to anti-fraud tools that their operation is “legitimate.” 

It’s unclear whether the Dicks-Yeti campaign has infiltrated multiple email services or just Gmail. (In my own experience, the emails are showing up in Gmail.) A public relations representative for Google, Zoz Cuccias, says the company is well aware of a “widespread spam campaign that spoofs well-known organizations, such as retailers, shipping companies, and government entities.”

“Our security teams have identified that spammers are using another platform’s infrastructure to make a path for these abusive messages. However, even as spammers’ tactics evolve, Gmail is actively blocking the vast majority of this activity,” Cuccias says in an email. She adds that Google is in contact with the other platform provider to resolve these vulnerabilities. Google declined to say which company or platform provider it’s referring to. 

Kalember from Proofpoint notes that Google’s sheer scale makes this particularly challenging for people on the security side of the equation. Proofpoint scans around 50 billion emails a day for its clients, Kalember says, and it can only follow so many URLs around the web, resulting in a somewhat shallow analysis of potential phishing attacks. Google and other large email service providers process vastly more emails than that, though Google also says it blocks billions of spam emails every day.

Cuccias, the Google spokesperson, says the company expects to see this email campaign persist throughout the holiday season, despite Google’s best efforts. “We urge anyone who uses email to continue exercising caution when opening messages, and Gmail users can leverage the Report Spam functionality.” A reporter from Vox, Sara Morrison, recently identified emails from “Kohl’s” offering an orange Le Creuset dutch oven to be spam as well, and noted that in late November, Google had reported a 10 percent increase in malicious emails. 

There are some signs that this particular spam attack might be easing. In mid-December, I finally saw a “Dicks Sporting Goods” email show up not in my main inbox, but in my spam folder—where it belongs. When I now search for older “Dicks Sporting Goods” emails and open them, Gmail prevents the full email from loading. Of course, a new one has just emerged: As I wrote this, I received an email from “ACE Hardware” offering an opportunity to win a brand new Milwaukee Power Drill. Lucky me.