Feeds

Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander scratches head over mystery malware barrage

Using blade systems to cut costs and sharpen efficiencies

How – and more importantly, why – could this have happened?

So what might be happening? One possible explanation is that the bank supplied its email address database to a third-party marketing affiliate and the information leaked from there. Other possibilities include that spammers are emailing address lists generated from combinations of banking-related words, so (for example) joe-banking@joebloggs.me.uk happens to be hit.

Martijn Grooten, Virus Bulletin's anti-spam test director, said that leaks from third-party affiliate marketing firms are the "most likely" scenario even though other possibilities can't be ruled out. "Sending (a lot of) email isn’t trivial, what with all those spam filters out there, so almost everyone outsources it," Grooten explained.

Yet spammers hitting on the correct mailing list using some type of brute-force attack is "pretty unlikely to occur in practise", according to Grooten.

"I know non-existent addresses do receive spam, but that seems more a case of those selling lists of email addresses adding some fake ones to increase the volume, than spammers just trying everything@the_domain," Grooten told El Reg. "That’d be a huge waste of resources – and I’ve never seen it happen."

Grooten suggested other alternative possibilities that hadn't immediately occurred to us, such as recipients of spam making a mistake themselves that exposes their unique email address to unwanted attention. These mistakes can take multiple forms.

"Perhaps they misread the email address the email is sent to," Grooten explained. "Perhaps they did give it out to someone else, but have forgotten since. Perhaps the email isn’t malicious, but incorrectly flagged as such by a spam filter. Perhaps they fell for a phishing scam and filled in the email address."

"And while it’s bad if a list of addresses of a bank’s customers leaks, the fact that a Barclays customer gets spam targeting Barclays customers on an address only known to Barclays, doesn’t mean that the fact that they are a Barclays customer gets leaked: it could well be that only the address leaked and that they happen to get Barclays-related spam," he added.

Paul Wood, manager of cyber security intelligence at Symantec, agreed that it's more likely to be a third party contracted to do mailing that’s been compromised than the bank itself.

"The other possibility [that someone simply made a mistake and had actually shared the address more widely than they thought] is also a good thing to remember," Wood told El Reg. "However, that becomes less likely as more and more people report the same behaviour. This is often how many security problems become public."

Wood, like Grooten, doesn't think the torrent of malicious spam against Santander customers is based on a brute-force attack but on a list somehow obtained by crooks. How malware flingers got hold of this list remains wide open to speculation.

"If these emails are just being spammed from some botnet, then the addresses are likely to have been harvested somehow, as it's unlikely they were programmatically generated," Wood told El Reg. "But if they are sent from the genuine IP range of the supplier, then it may suggest their client's login/account has been hacked. If the attackers know enough about how the system works, all it takes is one weak password." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.