Oi, bank manager. Only you've got my email address - where're these TROJANS coming from? Santander customers are continuing to complain about receiving trojans and other junk to email addresses exclusively used with the bank. The reports began last month, prompting promises of an investigation by Santander. It's still unclear whether email addresses leaked from the bank or one of its affiliates. Independent …
"...spammers just trying everything@the_domain... That’d be a huge waste of resources – and I’ve never seen it happen."
Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.
Fortunately, Google's spam filter gets them all, otherwise I'd probably have to dump the domain.
Happened to our main domain at work once years ago, vast amounts of email came in to different variants of firstname.lastname@ourdomain.co.uk
But I think the article is right that this isn't a cost effective method of spamming individuals. I assume that whoever it was had (wrongly) identified us as a large company where they could hope to get hundreds or thousands of hits with that sort of sending. Even if you're using a botnet, sending that amount of email is at very least an oppertunity cost, and in reality they are probably being rented for actual money.
Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.
Same here but they fail because all the addresses hosted on my server have at least two parts to the name. I also get someone trying to log in to my web UI with random user names as well. That I really can't understand. Hitting on a valid email address is possible..but the chances of generating a valid username/password combo is surely miniscule.
"the chances of generating a valid username/password combo is surely miniscule."
They aren't generated. They are username/password combos that have been stolen from other systems. Because people frequently use the same username/password over multiple systems, it's worth the criminals' time trying them elsewhere.
Yes, in my case it was a tagged email alias I'd used to sign up to Interflora, to which I suddenly started receiving "offers" from, amongst others, "The Book Club of Britain".
When challenged, Interflora's typically inept tier one'ers just dismissed it as a problem at my end ... until I got the ICO involved, then suddenly I had their undivided attention, and the problem was ultimately escalated to some regional manager.
It turned out they were using a professional spammer marketeer called CheetahMail (subsequently assimilated by Experian), which had "accidentally shared" my Interflora address, along with those of about another ten million people, with various parties they ought not to have. Being an American company, CheetahMail didn't seem to understand what all the fuss was about, given that America had (and clearly still has) absolutely no concept of data protection whatsoever (the safe harbor provisions didn't come into effect until years later, and even so are highly dubious at best, for various reasons).
In fact I made that point to the aforementioned regional manager, and suggested that maybe they shouldn't be handing British citizen's private data over to furriners not subject to our data protection laws. He appologised and made some vague assurance that Interflora would be "reviewing its relationship" with the spammer marketeer in question. It didn't matter. I ditched the alias and with it my "relationship" with Interflora.
Fool me once...
A compromised router outside of Santander's control.
It's all very well saying that you just use a particular e-mail address for one purpose, but sending or receiving e-mail is generally like sending or receiving a postcard. Any number of prying eyes have the opportunity to snoop on the address.
For a single instance, that's usually the way to investigate. This is multiple instances and the primary or only commonality is the bank. Also, if it was the user's PC, the virus would have ALL the email addresses being used, not just the one from the bank. At the very least I'd expect the intrepid spammer to go for credit card info as well.
While that's true, the much simpler answer is that some dickhead at the bank either has a compromised system or (not so) carefully found a way to export a list of email addresses that subsequently got added to spam sender's systems.
However it's telling that it's more targetted than the usual penis enlargement or penny stock spam.
Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?
I had a clean email address until I contacted a programmer in Russia. I'm willing to bet a good proportion of the servers that handled that one have been compromised to harvest addresses.
Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?
I can say that for my mail. I run my own mail server and it connects direct. The only things my mail passes through are generic network routers.
This post has been deleted by its author
"It doesn't exist in any of my contacts lists or history."
How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account. Either way, news of that account is on your computer, so if you end up comprised, it would be as well...
How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account.
No, there is no such account. The spam gets picked up by the catchall filter for "all unassigned addresses to mydomain". Nothing on my computer has any record of that email address.
ye a few of the possibilities outlined above, its worth trying to work out what the end users systems are, what browsers they are using. How many devices are used to interact with santander.
This at least may help identify if its specific to end users i.e. windows users using firefox/chrome/IE - then it be worth drilling into plugins used etc to see if some specific add on is causing this.......
If you are using a specific email address for your bank then you are probably using specific email addresses for ebay, amazon, friends and family, elreg, etc. If it is your system that has been compromised then these other email addresses would also start receiving spam. Since they aren't it pretty much discounts the theory that it is a problem on the users side.
It's Santander. The bank that is consistently at the bottom of UK customer satisfaction tables. The bank that sends out letters on outdated stationery so you have to go on a wild goose chase trying to clarify what the letter meant.
There are lots of theoretical possibilities, but it's Santander. They're incompetent. It's what they do best.
Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies".
Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised (in one situation, I signed up to a bands website, to be sent an email about a gig down in that London for a different band), however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!
"Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies"."
Ditto.
I have two domains specifically for this purpose. It is the only thing they are used for, and usually only receive email, so no individual usernames are set up on my system, other than the domain itself. In the event I want to send an email to a company using these domains, I have to manually type in the email address I am sending from.
"Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised [...] however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!"
Yup. Been there, done that, didn't buy the t-shirt from the spammer.
More than one such address has been compromised. In some cases, while a unique address at one of the domains is used, I know that the "company" is really just a small-fry sole trader, so the chances are their computer has been compromised.
The very first time it happened, though, it was either Experian or Equifax (I can't remember which), the address being one I'd used when I checked my own credit rating* - and when I contacted them about it, the response I got was, as yours: "not us guv, not possible, we're squeaky clean and more secure than a nun's nethers, honest to goodness."
* Always worth doing. Then you get to discover things like you have an alias that you never knew about - which I discovered on my most recent check.
Every time I've done this I've had the same response.
When I started getting spam to planetAMD64@mydomain.com and I, along with several others, complained, planetAMD64.com's response was that they were a huge and popular site and I was probably suffering a dictionary attack on my domain. As I have a catchall address, it must have been a dictionary attack of 1 word, a word that isn't even in the dictionary! Their response was to ban my account from their forum "for slander"! I get some satisfaction from the fact their "huge and popular" site is no more.
More worryingly when I started getting spam to pcg@mydomain.com which I'd only ever used for the Professional Contractor's Group at pcg.org.uk my report of spam was also met with instant disbelief and denials.
The reality is, that whilst it's evidence of some betrayal of confidentiality or security breach, it's very difficult to prove it or find the cause of the leak. The best you can do is black hole that email address and give them another unique one.
Abso-fragging-lutely. The simplest answer is the most likely one - Santander has been compromised, or one of firms that they outsource to (which I count as the same thing).
Like a lot of El Reg readers, I come across this sort of thing a lot because I also use a unique address for everything. And most of the time the people who have leaked out the information flatly deny it despite the evidence, and are often rude and hostile. And stupid, which probably explains why they got leaked in the first place.
This should probably be dealt with by whatever the current toothless watchdog that oversees the banking industry is.
They can't even get your home address right when you move house
I wonder if they've improved their data capture screen for mortgage details. I lived on a street called Frognal, but all my mortgage related correspondence went to a Frognal Lane which was several streets away. On going into the branch I discovered that their data capture screen insisted on a street address having a suffix that had to be selected from a ridiculously long drop down box. So it would accept Frognal Lane, Frognal Road and so on, but any address without a suffix - or with a suffix not on the list - couldn't be entered. Quality bit of UI design that.
I know for a fact that work on Santander UK systems is carried out by Spanish consultancies as it works out cheaper for them, at least by the indicators they are using, bad customer service reputation not being one of them.
Putting two and two together to make five, it sounds like that particular system was adapted from or at least heavily inspired by similar software for Spain which does have a fixed set of road types.
Complaints to the data registrar probably mean another road type being made just for you, you lucky thing.
It's not just Santander....
I opened an account with Natwest a few months ago, using a specific email address only for them
Started getting spam to that address after a few weeks, with zipped attachments!
When I complained, they said my system was probably infected and I should call in an expert!
I think they must 'sell' their email lists to the highest bidder
that ended up in the papers (not just the IT ones) when they flogged off a server without sanitising it first? I;m sure others do it too, but this one had scanned images of credit card applications on it.
Oh yes it was: http://www.theregister.co.uk/2008/08/26/more_details_lost/
They've had five years to sort it, I'm sure their IT is much better now.
These kind of problems crop up regularly and are far from limited to Santander. It's a familiar story
Very true. I stopped using Avast AV because I began to get spam to the address used to register. I tried to bring it to their attention but got attacked on by the forum denizens who refused to believe there was anything odd when address similar to:
mrwidget.avast@fake-domain.null
Started to receive spam. Most claimed the address was picked up by a packet sniffer (odd how only that address got picked up and this was ovr six months IIRC since I last registered it) or else that I had a virus infection that had got the address from my address book (why would I have that address in my address book and as per the first suggestion why did only that address get spam?) Oh and some fools suggested it was a dictionary attack against my domain (that's one hell of a precise attack).
I gave up the discussion when it looked like becoming a flame war.
I have had exactly the same issues with a number of sites. I register using a unique e-mail address that is only ever used for registration. I run my own mail server which uses certain rules to forward the unique mail address to a real e-mail address. If the rules don't match then the mail is simply discarded. I can then add specific e-mail addresses that are blocked.
I registered with the no2id people and have started receiving spam e-mails to that specific e-mail address. I tried to contact them and got zero response which is fairly ironic given how much they claim to value our privacy.
I've just looked through my blacklist and can see magazine subscriptions, easyjet4ski, worldpay, Adobe, easydns hammersnipe, appdev, groupon and other real outlets who appear to have lost, sold or given out a unique e-mail address. I have tried to contact every one and complain and with the exception of Adobe, none have ever admitted a problem. Its always been my issue never theirs.
My solution is easy, I simply block the address (15 secs) and then never do business with them.
What experiences to other people have when they try to complain about this?
Thanks
Most times they don't give a s**t. Just trying to get them to understand you might have more than one email address/your own domain is a job in it's self.
I don't block them anymore, I just forward the email address that has been compromised to one of theirs. Job done (and rather satisfying too).
That, Sir, is truly a brilliant idea. Can't believe that isn't standard practise. I'm going to add "Forward to: CEO at email-sellers-domain.com" to the front of all my kill filters.
My wife (who is in IT, as I used to be) complains at my use of many different email addresses like this, but I find it very useful for the reasons given by others.
I started receiving the virus spam emails in November and immediately started a complaint. Allow me to share some of my insight/experience.
The article discusses a number of sources of the leak and the user could possibility. I did consider this as I can be a numpty but:
1) I started getting virus spams to two unique email addresses on the same day.
2) This was shortly after the Adobe breach in November 2013.
3) I have a whole raft of unique addresses and I was only getting spam virus emails to two of them
4) The email address was not "Santander" or anything that could be guessed (really).
My guess it was the same crew that took the addresses from both Santander and Sportsbikeshop.co.uk. If I was to get a free bet I would suspect (as I used to work in Direct Marketing for a bank now "eaten" by Santander) that an external agency using Adobe products and the same password everywhere is to blame.
It took me some time to get my complaint listened to. Their Data Protection Officer wasn't having anything to do with me (FFS, What is their purpose!) and I had to raise three complaints before Santander "engaged".
However since "engaging" the poor Scottish chap dealing with the complaint has been great. You couldn't fault him. If you're reading this mate then I owe you a pint.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
