Feeds

Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander scratches head over mystery malware barrage

5 things you didn’t know about cloud backup

How – and more importantly, why – could this have happened?

So what might be happening? One possible explanation is that the bank supplied its email address database to a third-party marketing affiliate and the information leaked from there. Other possibilities include that spammers are emailing address lists generated from combinations of banking-related words, so (for example) joe-banking@joebloggs.me.uk happens to be hit.

Martijn Grooten, Virus Bulletin's anti-spam test director, said that leaks from third-party affiliate marketing firms are the "most likely" scenario even though other possibilities can't be ruled out. "Sending (a lot of) email isn’t trivial, what with all those spam filters out there, so almost everyone outsources it," Grooten explained.

Yet spammers hitting on the correct mailing list using some type of brute-force attack is "pretty unlikely to occur in practise", according to Grooten.

"I know non-existent addresses do receive spam, but that seems more a case of those selling lists of email addresses adding some fake ones to increase the volume, than spammers just trying everything@the_domain," Grooten told El Reg. "That’d be a huge waste of resources – and I’ve never seen it happen."

Grooten suggested other alternative possibilities that hadn't immediately occurred to us, such as recipients of spam making a mistake themselves that exposes their unique email address to unwanted attention. These mistakes can take multiple forms.

"Perhaps they misread the email address the email is sent to," Grooten explained. "Perhaps they did give it out to someone else, but have forgotten since. Perhaps the email isn’t malicious, but incorrectly flagged as such by a spam filter. Perhaps they fell for a phishing scam and filled in the email address."

"And while it’s bad if a list of addresses of a bank’s customers leaks, the fact that a Barclays customer gets spam targeting Barclays customers on an address only known to Barclays, doesn’t mean that the fact that they are a Barclays customer gets leaked: it could well be that only the address leaked and that they happen to get Barclays-related spam," he added.

Paul Wood, manager of cyber security intelligence at Symantec, agreed that it's more likely to be a third party contracted to do mailing that’s been compromised than the bank itself.

"The other possibility [that someone simply made a mistake and had actually shared the address more widely than they thought] is also a good thing to remember," Wood told El Reg. "However, that becomes less likely as more and more people report the same behaviour. This is often how many security problems become public."

Wood, like Grooten, doesn't think the torrent of malicious spam against Santander customers is based on a brute-force attack but on a list somehow obtained by crooks. How malware flingers got hold of this list remains wide open to speculation.

"If these emails are just being spammed from some botnet, then the addresses are likely to have been harvested somehow, as it's unlikely they were programmatically generated," Wood told El Reg. "But if they are sent from the genuine IP range of the supplier, then it may suggest their client's login/account has been hacked. If the attackers know enough about how the system works, all it takes is one weak password." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.