The Real Story

We’ve heard this story before.

Someone gives an email address to a company. That company sends them email via an ESP for several years.
Hackers break in to the ESP and steal a bunch of email addresses.
The original address owner starts getting targeted and random spam to that email address.

The reality is rarely quite that simple. Here’s my version of this story. The names have been left in, but some of them are quite innocent.
In July 2009, I gave a unique email address to Dell as part of a purchase of some servers. Over the following two years, Dell sent me quite a lot of email, sometimes from their own systems, sometimes through their main ESP (Epsilon / Bigfoot Interactive), occasionally through a subcontractor who handles customer surveys for them.
In mid-May 2011, I started receiving spam from Intervision – a local company that does Enterprise IT integration – to that unique email address. Then, on June 3rd, I started getting a stream of spam from Russia for replica watches and viagra.
Epsilon were compromised back in October, and had a bunch of email lists stolen, and “we” started noticing spam going to some of those addresses at the end of May. It really looks like Intervision were one of the early purchasers of the stolen email addresses, and so might be able to point the finger at someone closely connected to the Epsilon breach.
Intervision were very responsive, and open about how they work. They do buy lists from list vendors – jigsaw was the name that was mentioned – and acquire them from partners, but they keep a reasonable trail of when and where. They were much more professional than many companies who are caught with their hand in the cookie jar.
They’d acquired my (unique to Dell) email address over a year ago, in March 2010, as part of a list labeled “Dell Sales Leads”. But they hadn’t had anyone in-house handling email marketing, so they hadn’t started to send “email blasts” until they hired someone to do that, this May.
So the real story doesn’t involve a data breach at Epsilon at all. A more accurate version of the story would be something like this.

Dell’s sales team or one of their sales associates is trading or selling lists of Dell customer addresses.
Intervision acquired those lists via a route that may be a bit dubious, but certainly doesn’t have the drama of hacking.
When they started sending mail to the old lists they’d acquired, either Intervision or their ESP (Jangomail) had a data leak of some sort, which lead to those old lists ending up in the hands of the usual criminal spammers with .ru domains.

It’s still an interesting story, but entirely different from what I was expecting. Some of the people I thought were probably responsible for the spam, aren’t. Some of those I thought were innocent of any bad practice are probably up to their necks in it. You just can’t tell until you find the real story.

Related Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More

MAAWG: Just keeps getting better

Last week was the 22nd meeting of the Messaging Anti-Abuse Working Group (MAAWG). While I am prohibited from talking about specifics because of the closed door nature of the group, I can say I came out of the conference exhausted (as usual) and energized (perhaps not as usual).
The folks at MAAWG work hard and play even harder.
I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.
Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.
I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.
There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.
If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.
(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)
Plus, if you join before October, you can meet up with us in Paris.

Read More

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More