Feeds

Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander scratches head over mystery malware barrage

Beginner's guide to SSL certificates

How – and more importantly, why – could this have happened?

So what might be happening? One possible explanation is that the bank supplied its email address database to a third-party marketing affiliate and the information leaked from there. Other possibilities include that spammers are emailing address lists generated from combinations of banking-related words, so (for example) joe-banking@joebloggs.me.uk happens to be hit.

Martijn Grooten, Virus Bulletin's anti-spam test director, said that leaks from third-party affiliate marketing firms are the "most likely" scenario even though other possibilities can't be ruled out. "Sending (a lot of) email isn’t trivial, what with all those spam filters out there, so almost everyone outsources it," Grooten explained.

Yet spammers hitting on the correct mailing list using some type of brute-force attack is "pretty unlikely to occur in practise", according to Grooten.

"I know non-existent addresses do receive spam, but that seems more a case of those selling lists of email addresses adding some fake ones to increase the volume, than spammers just trying everything@the_domain," Grooten told El Reg. "That’d be a huge waste of resources – and I’ve never seen it happen."

Grooten suggested other alternative possibilities that hadn't immediately occurred to us, such as recipients of spam making a mistake themselves that exposes their unique email address to unwanted attention. These mistakes can take multiple forms.

"Perhaps they misread the email address the email is sent to," Grooten explained. "Perhaps they did give it out to someone else, but have forgotten since. Perhaps the email isn’t malicious, but incorrectly flagged as such by a spam filter. Perhaps they fell for a phishing scam and filled in the email address."

"And while it’s bad if a list of addresses of a bank’s customers leaks, the fact that a Barclays customer gets spam targeting Barclays customers on an address only known to Barclays, doesn’t mean that the fact that they are a Barclays customer gets leaked: it could well be that only the address leaked and that they happen to get Barclays-related spam," he added.

Paul Wood, manager of cyber security intelligence at Symantec, agreed that it's more likely to be a third party contracted to do mailing that’s been compromised than the bank itself.

"The other possibility [that someone simply made a mistake and had actually shared the address more widely than they thought] is also a good thing to remember," Wood told El Reg. "However, that becomes less likely as more and more people report the same behaviour. This is often how many security problems become public."

Wood, like Grooten, doesn't think the torrent of malicious spam against Santander customers is based on a brute-force attack but on a list somehow obtained by crooks. How malware flingers got hold of this list remains wide open to speculation.

"If these emails are just being spammed from some botnet, then the addresses are likely to have been harvested somehow, as it's unlikely they were programmatically generated," Wood told El Reg. "But if they are sent from the genuine IP range of the supplier, then it may suggest their client's login/account has been hacked. If the attackers know enough about how the system works, all it takes is one weak password." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.