Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Spam to my AT&T address from Bursor and Fisher
I received one of these emails back in January. I was concerned that my information, including credit card had been leaked so I contacted Mr. Fisher by phone to ask him about the source of the email addresses.
 
On the call Mr. Fisher told me a number of things. One, that it was not spam I received because I could always opt-out. When I pointed out the email was unsolicited he said that he disagreed with me.
When I asked about how this wasn’t a violation of my agreement with AT&T he asserted that he was not a party to that agreement and therefore could do anything he wanted with my email address. He also informed me that I had no recourse.
Mr. Fisher also told me that he had a court order that allowed him to use the AT&T customer database however he pleased. He declined to send me a copy of the court order, however, because he didn’t want to me to call him a spammer again.
From what he told me and piecing together information I found online, this is my best understanding of what happened. A few years before I received mail for the myspace class action, he used the AT&T database to shop around another suit against AT&T. AT&T was justifiably upset by this and took him to court. The judge ruled in his favor. I’ve tried to find a copy of this ruling, but it appears many state court rulings aren’t published. Lawyer friends have even looked for me, but no one can find such a ruling.
It is, of course, completely possible that the lawyer doesn’t have said ruling and that’s why he declined to email it to me. Or it’s possible he does have a ruling and I just can’t find it.
In any case, the AT&T customer database from a few years ago is in the hands of a spammer who believes it is his right to use that database however he wants. His acquisition of the list was clearly legal, and his use of the list may be legal as well. But I am still uncomfortable with the concept that judges can force a company to turn over my personal information to spammers.
As an aside, I sent a letter to the judge who ruled that AT&T must hand over their list to Bursor and Fisher. I also contacted AT&T through their privacy address and through one of my personal contacts. To date, no one has followed up with me.

Related Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More

Spam works

I got a spam today advertising spamming services that ended with a tagline that can be paraphrased: We managed to spam you, let us spam others on your behalf!
OK, so what they actually said was:

Read More

Security framework document published

The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.

Read More