Feeds

back to article Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander customers are continuing to complain about receiving trojans and other junk to email addresses exclusively used with the bank. The reports began last month, prompting promises of an investigation by Santander. It's still unclear whether email addresses leaked from the bank or one of its affiliates. Independent experts …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Oh really?

"...spammers just trying everything@the_domain... That’d be a huge waste of resources – and I’ve never seen it happen."

Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.

Fortunately, Google's spam filter gets them all, otherwise I'd probably have to dump the domain.

9
0

Re: Oh really?

Happened to our main domain at work once years ago, vast amounts of email came in to different variants of firstname.lastname@ourdomain.co.uk

But I think the article is right that this isn't a cost effective method of spamming individuals. I assume that whoever it was had (wrongly) identified us as a large company where they could hope to get hundreds or thousands of hits with that sort of sending. Even if you're using a botnet, sending that amount of email is at very least an oppertunity cost, and in reality they are probably being rented for actual money.

2
0
Silver badge

Re: Oh really?

Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.

Same here but they fail because all the addresses hosted on my server have at least two parts to the name. I also get someone trying to log in to my web UI with random user names as well. That I really can't understand. Hitting on a valid email address is possible..but the chances of generating a valid username/password combo is surely miniscule.

2
0

Re: Oh really?

Are those 2a60d7b58@ addresses actually message-ids?

That is what i see. Someone has greped using a regexp that picks up messag-ids as well as email addresses.

2
0
Gav
Bronze badge

Re: Oh really?

"the chances of generating a valid username/password combo is surely miniscule."

They aren't generated. They are username/password combos that have been stolen from other systems. Because people frequently use the same username/password over multiple systems, it's worth the criminals' time trying them elsewhere.

4
0
Silver badge

Re: Oh really?

They are username/password combos that have been stolen from other systems.

Ah yes, you're right. Having checked my logs again those are all 'sensible' user names. It's only the spam attacks that are random.

2
0
Flame

Re: Oh really?

Yes, in my case it was a tagged email alias I'd used to sign up to Interflora, to which I suddenly started receiving "offers" from, amongst others, "The Book Club of Britain".

When challenged, Interflora's typically inept tier one'ers just dismissed it as a problem at my end ... until I got the ICO involved, then suddenly I had their undivided attention, and the problem was ultimately escalated to some regional manager.

It turned out they were using a professional spammer marketeer called CheetahMail (subsequently assimilated by Experian), which had "accidentally shared" my Interflora address, along with those of about another ten million people, with various parties they ought not to have. Being an American company, CheetahMail didn't seem to understand what all the fuss was about, given that America had (and clearly still has) absolutely no concept of data protection whatsoever (the safe harbor provisions didn't come into effect until years later, and even so are highly dubious at best, for various reasons).

In fact I made that point to the aforementioned regional manager, and suggested that maybe they shouldn't be handing British citizen's private data over to furriners not subject to our data protection laws. He appologised and made some vague assurance that Interflora would be "reviewing its relationship" with the spammer marketeer in question. It didn't matter. I ditched the alias and with it my "relationship" with Interflora.

Fool me once...

9
0
Bronze badge

Another possibility

A compromised router outside of Santander's control.

It's all very well saying that you just use a particular e-mail address for one purpose, but sending or receiving e-mail is generally like sending or receiving a postcard. Any number of prying eyes have the opportunity to snoop on the address.

3
0
Bronze badge

Re: Another possibility

Also, who's to say that the e-mail address hasn't been compromised from the owners' system (i.e. they have picked up a virus that has mined their own contacts list from their PC or 'phone) ?

3
9
Silver badge

Re: Another possibility

While that's true, the much simpler answer is that some dickhead at the bank either has a compromised system or (not so) carefully found a way to export a list of email addresses that subsequently got added to spam sender's systems.

However it's telling that it's more targetted than the usual penis enlargement or penny stock spam.

2
0
Black Helicopters

Re: Another possibility

Could be the NSA... ;-)

4
3
Anonymous Coward

Re: Another possibility

I feel concerned that I *haven't* had the 'penis enlargement' spam for sometime now. It just doesn't feel right.

3
0
Bronze badge

Re: Another possibility

Take it as a compliment.

11
0
Bronze badge
Holmes

Re: Another possibility

Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?

I had a clean email address until I contacted a programmer in Russia. I'm willing to bet a good proportion of the servers that handled that one have been compromised to harvest addresses.

0
3
Silver badge

Re: Another possibility

Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?

I can say that for my mail. I run my own mail server and it connects direct. The only things my mail passes through are generic network routers.

4
2
Bronze badge

Re: Another possibility

"I feel concerned that I *haven't* had the 'penis enlargement' spam for sometime now. It just doesn't feel right."

It doesn't feel right, you say? Does it feel too small, perhaps? If so what you need is to respond to one of those emails for peni... oh, wait.

0
0
Silver badge

Re: Another possibility

For a single instance, that's usually the way to investigate. This is multiple instances and the primary or only commonality is the bank. Also, if it was the user's PC, the virus would have ALL the email addresses being used, not just the one from the bank. At the very least I'd expect the intrepid spammer to go for credit card info as well.

0
0

Re: Another possibility

Or an insider with access to the list of e-mail addresses is actively stealing them and selling them on the black market for some extra pocket money. That's my guess.

0
0
Bronze badge

A number of years ago....

A number of years ago, I booked a holiday to Lanzarote with Thomson. The email address I registered with was Thomson-Lanzarote@MyDomain.com (Obviously not the correct domain.)

6 months later the address started receiving email from a huge range of spammers.

I'd only ever used the address once then forgotten about is.

Needless to say Thomson wouldn't comment.

8
0
Silver badge
Thumb Up

Re: A number of years ago....

Over 50% of the spam I get is received at oddbins@MyDomain.com despite me having used that address precisely once, many years ago, to order wine online for a family party. It doesn't exist in any of my contacts lists or history.

6
0
Silver badge
Go

Re: A number of years ago....

"It doesn't exist in any of my contacts lists or history."

How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account. Either way, news of that account is on your computer, so if you end up comprised, it would be as well...

0
7
Silver badge

Re: A number of years ago....

How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account.

No, there is no such account. The spam gets picked up by the catchall filter for "all unassigned addresses to mydomain". Nothing on my computer has any record of that email address.

0
0

send in inspector cludeo

ye a few of the possibilities outlined above, its worth trying to work out what the end users systems are, what browsers they are using. How many devices are used to interact with santander.

This at least may help identify if its specific to end users i.e. windows users using firefox/chrome/IE - then it be worth drilling into plugins used etc to see if some specific add on is causing this.......

0
8
Anonymous Coward

Re: send in inspector cludeo

If you are using a specific email address for your bank then you are probably using specific email addresses for ebay, amazon, friends and family, elreg, etc. If it is your system that has been compromised then these other email addresses would also start receiving spam. Since they aren't it pretty much discounts the theory that it is a problem on the users side.

21
0
Anonymous Coward

The answer is obvious

It's Santander. The bank that is consistently at the bottom of UK customer satisfaction tables. The bank that sends out letters on outdated stationery so you have to go on a wild goose chase trying to clarify what the letter meant.

There are lots of theoretical possibilities, but it's Santander. They're incompetent. It's what they do best.

22
0

Re: The answer is obvious

Sometimes you can discuss all the possible options when in reality it's the bleeding obvious that is the case.

9
0
Anonymous Coward

Re: The answer is obvious

Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies".

Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised (in one situation, I signed up to a bands website, to be sent an email about a gig down in that London for a different band), however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!

8
0
Bronze badge

Re: The answer is obvious

"Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies"."

Ditto.

I have two domains specifically for this purpose. It is the only thing they are used for, and usually only receive email, so no individual usernames are set up on my system, other than the domain itself. In the event I want to send an email to a company using these domains, I have to manually type in the email address I am sending from.

"Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised [...] however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!"

Yup. Been there, done that, didn't buy the t-shirt from the spammer.

More than one such address has been compromised. In some cases, while a unique address at one of the domains is used, I know that the "company" is really just a small-fry sole trader, so the chances are their computer has been compromised.

The very first time it happened, though, it was either Experian or Equifax (I can't remember which), the address being one I'd used when I checked my own credit rating* - and when I contacted them about it, the response I got was, as yours: "not us guv, not possible, we're squeaky clean and more secure than a nun's nethers, honest to goodness."

* Always worth doing. Then you get to discover things like you have an alias that you never knew about - which I discovered on my most recent check.

3
0

Re: The answer is obvious

Abso-fragging-lutely. The simplest answer is the most likely one - Santander has been compromised, or one of firms that they outsource to (which I count as the same thing).

Like a lot of El Reg readers, I come across this sort of thing a lot because I also use a unique address for everything. And most of the time the people who have leaked out the information flatly deny it despite the evidence, and are often rude and hostile. And stupid, which probably explains why they got leaked in the first place.

This should probably be dealt with by whatever the current toothless watchdog that oversees the banking industry is.

7
0

Re: The answer is obvious

Every time I've done this I've had the same response.

When I started getting spam to planetAMD64@mydomain.com and I, along with several others, complained, planetAMD64.com's response was that they were a huge and popular site and I was probably suffering a dictionary attack on my domain. As I have a catchall address, it must have been a dictionary attack of 1 word, a word that isn't even in the dictionary! Their response was to ban my account from their forum "for slander"! I get some satisfaction from the fact their "huge and popular" site is no more.

More worryingly when I started getting spam to pcg@mydomain.com which I'd only ever used for the Professional Contractor's Group at pcg.org.uk my report of spam was also met with instant disbelief and denials.

The reality is, that whilst it's evidence of some betrayal of confidentiality or security breach, it's very difficult to prove it or find the cause of the leak. The best you can do is black hole that email address and give them another unique one.

5
0

"Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

3
0
Bronze badge

"Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

I don't know, the viagra pill sellers only have my girlfriends sexual experience at heart when sending me those emails....

7
0
Anonymous Coward

> "Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

I am they were extremely careful to select the third party that paid them the most for their email database.

6
0
Anonymous Coward

Not surprising really

They can't even get your home address right when you move house and tell them more than once but they persist on sending correspondance to your old address, so I wouldn't have any hopes of them being able to deal with email addresses properly either!

3
0
Bronze badge

Re: Not surprising really

They can't even get your home address right when you move house

I wonder if they've improved their data capture screen for mortgage details. I lived on a street called Frognal, but all my mortgage related correspondence went to a Frognal Lane which was several streets away. On going into the branch I discovered that their data capture screen insisted on a street address having a suffix that had to be selected from a ridiculously long drop down box. So it would accept Frognal Lane, Frognal Road and so on, but any address without a suffix - or with a suffix not on the list - couldn't be entered. Quality bit of UI design that.

9
0

Re: Not surprising really

From past experience, I've found that complaining to the who ever is responsible for data protection tends to solve the home address problem reasonably quickly.

2
0
Silver badge

Re: Not surprising really

I know for a fact that work on Santander UK systems is carried out by Spanish consultancies as it works out cheaper for them, at least by the indicators they are using, bad customer service reputation not being one of them.

Putting two and two together to make five, it sounds like that particular system was adapted from or at least heavily inspired by similar software for Spain which does have a fixed set of road types.

Complaints to the data registrar probably mean another road type being made just for you, you lucky thing.

0
0

It's not just Santander....

I opened an account with Natwest a few months ago, using a specific email address only for them

Started getting spam to that address after a few weeks, with zipped attachments!

When I complained, they said my system was probably infected and I should call in an expert!

I think they must 'sell' their email lists to the highest bidder

3
0
Anonymous Coward

Wasn't it NatWest

that ended up in the papers (not just the IT ones) when they flogged off a server without sanitising it first? I;m sure others do it too, but this one had scanned images of credit card applications on it.

Oh yes it was: http://www.theregister.co.uk/2008/08/26/more_details_lost/

They've had five years to sort it, I'm sure their IT is much better now.

3
0
Bronze badge

Re: Wasn't it NatWest

@AC

I am sure they have sorted it. Or at least that impeccable holding company of theirs, the one with the perfect IT record, RBS, has sorted it for them.

4
0

I even get spam sent to the unique address I use for my very well-known ISP. They denied any wrong doing. And it happens with at least two other unique addresses. The latter two I blackholed so it's a pointless exercise for them.

2
0
Anonymous Coward

Well, after I used the RAC's recovery service

I have been plagued by Cowboy Personal Injury firms trying to foist their services upon me.

2
0
Silver badge
Trollface

Re: Well, after I used the RAC's recovery service

Glad you didn't respond. Their services must seriously hurt.

3
0
Anonymous Coward

Re: RAC

That's interesting. Now you mention it, I also had the same experience.

I was a little perturbed to receive a phone call from a stranger that began "did you ever claim for injury following your accident on <date>?".

Needless to say I told them very firmly not to contact me again.

0
0
Silver badge
Thumb Down

These kind of problems crop up regularly and are far from limited to Santander. It's a familiar story

Very true. I stopped using Avast AV because I began to get spam to the address used to register. I tried to bring it to their attention but got attacked on by the forum denizens who refused to believe there was anything odd when address similar to:

mrwidget.avast@fake-domain.null

Started to receive spam. Most claimed the address was picked up by a packet sniffer (odd how only that address got picked up and this was ovr six months IIRC since I last registered it) or else that I had a virus infection that had got the address from my address book (why would I have that address in my address book and as per the first suggestion why did only that address get spam?) Oh and some fools suggested it was a dictionary attack against my domain (that's one hell of a precise attack).

I gave up the discussion when it looked like becoming a flame war.

7
0

Yes, most companies just lie about their practices or aren't aware of just how casual marketing are with the databases.

1
0

Similar issues...

I have had exactly the same issues with a number of sites. I register using a unique e-mail address that is only ever used for registration. I run my own mail server which uses certain rules to forward the unique mail address to a real e-mail address. If the rules don't match then the mail is simply discarded. I can then add specific e-mail addresses that are blocked.

I registered with the no2id people and have started receiving spam e-mails to that specific e-mail address. I tried to contact them and got zero response which is fairly ironic given how much they claim to value our privacy.

I've just looked through my blacklist and can see magazine subscriptions, easyjet4ski, worldpay, Adobe, easydns hammersnipe, appdev, groupon and other real outlets who appear to have lost, sold or given out a unique e-mail address. I have tried to contact every one and complain and with the exception of Adobe, none have ever admitted a problem. Its always been my issue never theirs.

My solution is easy, I simply block the address (15 secs) and then never do business with them.

What experiences to other people have when they try to complain about this?

Thanks

8
0

Re: Similar issues...

Most times they don't give a s**t. Just trying to get them to understand you might have more than one email address/your own domain is a job in it's self.

I don't block them anymore, I just forward the email address that has been compromised to one of theirs. Job done (and rather satisfying too).

10
0

Re: Similar issues...

That, Sir, is truly a brilliant idea. Can't believe that isn't standard practise. I'm going to add "Forward to: CEO at email-sellers-domain.com" to the front of all my kill filters.

My wife (who is in IT, as I used to be) complains at my use of many different email addresses like this, but I find it very useful for the reasons given by others.

1
0

I am one of the people affected/complaining

I started receiving the virus spam emails in November and immediately started a complaint. Allow me to share some of my insight/experience.

The article discusses a number of sources of the leak and the user could possibility. I did consider this as I can be a numpty but:

1) I started getting virus spams to two unique email addresses on the same day.

2) This was shortly after the Adobe breach in November 2013.

3) I have a whole raft of unique addresses and I was only getting spam virus emails to two of them

4) The email address was not "Santander" or anything that could be guessed (really).

My guess it was the same crew that took the addresses from both Santander and Sportsbikeshop.co.uk. If I was to get a free bet I would suspect (as I used to work in Direct Marketing for a bank now "eaten" by Santander) that an external agency using Adobe products and the same password everywhere is to blame.

It took me some time to get my complaint listened to. Their Data Protection Officer wasn't having anything to do with me (FFS, What is their purpose!) and I had to raise three complaints before Santander "engaged".

However since "engaging" the poor Scottish chap dealing with the complaint has been great. You couldn't fault him. If you're reading this mate then I owe you a pint.

4
0

Page:

This topic is closed for new posts.