The Real Story

We’ve heard this story before.

Someone gives an email address to a company. That company sends them email via an ESP for several years.
Hackers break in to the ESP and steal a bunch of email addresses.
The original address owner starts getting targeted and random spam to that email address.

The reality is rarely quite that simple. Here’s my version of this story. The names have been left in, but some of them are quite innocent.
In July 2009, I gave a unique email address to Dell as part of a purchase of some servers. Over the following two years, Dell sent me quite a lot of email, sometimes from their own systems, sometimes through their main ESP (Epsilon / Bigfoot Interactive), occasionally through a subcontractor who handles customer surveys for them.
In mid-May 2011, I started receiving spam from Intervision – a local company that does Enterprise IT integration – to that unique email address. Then, on June 3rd, I started getting a stream of spam from Russia for replica watches and viagra.
Epsilon were compromised back in October, and had a bunch of email lists stolen, and “we” started noticing spam going to some of those addresses at the end of May. It really looks like Intervision were one of the early purchasers of the stolen email addresses, and so might be able to point the finger at someone closely connected to the Epsilon breach.
Intervision were very responsive, and open about how they work. They do buy lists from list vendors – jigsaw was the name that was mentioned – and acquire them from partners, but they keep a reasonable trail of when and where. They were much more professional than many companies who are caught with their hand in the cookie jar.
They’d acquired my (unique to Dell) email address over a year ago, in March 2010, as part of a list labeled “Dell Sales Leads”. But they hadn’t had anyone in-house handling email marketing, so they hadn’t started to send “email blasts” until they hired someone to do that, this May.
So the real story doesn’t involve a data breach at Epsilon at all. A more accurate version of the story would be something like this.

Dell’s sales team or one of their sales associates is trading or selling lists of Dell customer addresses.
Intervision acquired those lists via a route that may be a bit dubious, but certainly doesn’t have the drama of hacking.
When they started sending mail to the old lists they’d acquired, either Intervision or their ESP (Jangomail) had a data leak of some sort, which lead to those old lists ending up in the hands of the usual criminal spammers with .ru domains.

It’s still an interesting story, but entirely different from what I was expecting. Some of the people I thought were probably responsible for the spam, aren’t. Some of those I thought were innocent of any bad practice are probably up to their necks in it. You just can’t tell until you find the real story.

Related Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More

New security focused services

Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.

Read More