Feeds

Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander scratches head over mystery malware barrage

Top 5 reasons to deploy VMware with Tegile

How – and more importantly, why – could this have happened?

So what might be happening? One possible explanation is that the bank supplied its email address database to a third-party marketing affiliate and the information leaked from there. Other possibilities include that spammers are emailing address lists generated from combinations of banking-related words, so (for example) joe-banking@joebloggs.me.uk happens to be hit.

Martijn Grooten, Virus Bulletin's anti-spam test director, said that leaks from third-party affiliate marketing firms are the "most likely" scenario even though other possibilities can't be ruled out. "Sending (a lot of) email isn’t trivial, what with all those spam filters out there, so almost everyone outsources it," Grooten explained.

Yet spammers hitting on the correct mailing list using some type of brute-force attack is "pretty unlikely to occur in practise", according to Grooten.

"I know non-existent addresses do receive spam, but that seems more a case of those selling lists of email addresses adding some fake ones to increase the volume, than spammers just trying everything@the_domain," Grooten told El Reg. "That’d be a huge waste of resources – and I’ve never seen it happen."

Grooten suggested other alternative possibilities that hadn't immediately occurred to us, such as recipients of spam making a mistake themselves that exposes their unique email address to unwanted attention. These mistakes can take multiple forms.

"Perhaps they misread the email address the email is sent to," Grooten explained. "Perhaps they did give it out to someone else, but have forgotten since. Perhaps the email isn’t malicious, but incorrectly flagged as such by a spam filter. Perhaps they fell for a phishing scam and filled in the email address."

"And while it’s bad if a list of addresses of a bank’s customers leaks, the fact that a Barclays customer gets spam targeting Barclays customers on an address only known to Barclays, doesn’t mean that the fact that they are a Barclays customer gets leaked: it could well be that only the address leaked and that they happen to get Barclays-related spam," he added.

Paul Wood, manager of cyber security intelligence at Symantec, agreed that it's more likely to be a third party contracted to do mailing that’s been compromised than the bank itself.

"The other possibility [that someone simply made a mistake and had actually shared the address more widely than they thought] is also a good thing to remember," Wood told El Reg. "However, that becomes less likely as more and more people report the same behaviour. This is often how many security problems become public."

Wood, like Grooten, doesn't think the torrent of malicious spam against Santander customers is based on a brute-force attack but on a list somehow obtained by crooks. How malware flingers got hold of this list remains wide open to speculation.

"If these emails are just being spammed from some botnet, then the addresses are likely to have been harvested somehow, as it's unlikely they were programmatically generated," Wood told El Reg. "But if they are sent from the genuine IP range of the supplier, then it may suggest their client's login/account has been hacked. If the attackers know enough about how the system works, all it takes is one weak password." ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.