Be on the lookout

I’m hearing more rumors of ESPs seeing customer accounts being compromised, similar to what happened with The Children’s Place.

Experian CheetahMail identified an isolated incident in which someone used a valid client user ID and password to gain access to the client’s email account and transmit an unauthorized and unlawful email. To recipients, the email appeared as a solicitation from an unrelated sender (disguised as Adobe) and directed viewers to an illicit website requesting credit card information. The impact was limited to a single, targeted outbound email.

I have a few suggestions for companies to be able to identify these types of attacks before mail goes out.
1) Set up monitoring to look for large number of uploads in a particular account. Tens of millions of new addresses, even spread over multiple uploads, should raise red flags and trigger manual review of an account.
2) Scan outgoing messages for links mentioning or advertising Adobe (all the spams so far seem to be linking to adobe phish sites).
3) Monitor for unusual send activity. A customer that sends small amounts of mail regularly, but all of a sudden spikes to 10 or 100 times more mail may be compromised.
4) Monitor FBLs for spikes in activity.
5) Monitor bounces for spikes in activity.
Much of this monitoring should trivially slot into the monitoring that you’re already doing as an ESP. You may want to add alerts to go out to relevant people inside your company.

Analysing a data breach – CheetahMail
The answer is 42

Related Posts

I hate spam

But sometimes it makes me laugh. Yesterday I got a 419 that said, “[…]have been diagonalized with HIV/AIDS which has defiled all forms of medical treatment[…]” Diagonalized? Defiled all forms of treatment?
At least it was entertaining, right?

Read More

Spammers, eh?

From my inbox, missed by the spamfilter:

Do you know people who have worked a lot or could not find a job for a long time and suddenly began to earn well, gain valuable items and look better?
We can reveal to you their secret.
Anyone who bought a diploma from us raised their standard of living in half!
Our diplomas are verified and credible. We offer expert help in selection of the right option and a short waiting time.
Don’t look at other – DO YOUR OWN SUCCESS!
—–
+ 1 – 646 – 555 – 1212
—–
We need your infarmation:
1) Your Name
2) Your Country
3) Telephone No. with a code of country if you are outside USA
Do Not Reply to this Email.
We do not reply to text inquiries, and our server will reject all response traffic.
We apologize for any inconvenience this may have caused you.
This is not a spam
If you don’t want to receive this message to your e-mail, call this number and refuse it – spell your e-mail

Read More

ESPs leaking email addresses

Two of my tagged email addresses started getting identical pharma spam over the weekend. It is annoying me because I am now getting spam in a mailbox that was previously spam free. The spam is overwhelming the real traffic and I am having to make some decisions about what to do with the email addresses and their associated accounts with the companies I gave them to.
One thing I did notice, though, is that both companies use iContact as their ESP. A cursory check of my other mailboxes shows that none of my other tagged addresses are mailed through iContact. I don’t think it’s very likely that these two individual, unrelated companies made deals with the same spammers to sell address lists at the same time. It’s much more likely that there was a compromise somewhere and address lists were stolen.
Edit: Checked my other account and, likewise, I’m getting the same spam to a 3rd address serviced by iContact. I’ve sent mail to all 3 companies involved and we’ll see how they react.
And, as I was thinking about this, iContact just laid off a bunch of staff about the same time they announced their partnership with Goodmail. Based on past history with companies in this situation, it seems possible this is a disgruntled former employee. I’ve also seen reports from other people noticing spam to addresses given to iContact customers.

Read More