Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire)  This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).

There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

[…] Nike, LifeLock, Liberty Mutual, Fidelity, MetLife, Victoria’s Secret, Kitchen Aide, Yankee Candle, Bath & Body Works, Gillette, Match.com, Dollar Shave Club, Dewalt, DirecTV, Covergirl, Clinique, Maybelline, Terminix, and AT&T.

This shouldn’t be a surprise to anyone who has been paying attention to the industry. We described this many years ago in a series of articles about mainstream spam. (Note: the organization in the article has cleaned up their act and no longer uses affiliates).
Addresses were collected through many ways, including the use of co-reg. Chris Vickery explains:

Well-informed individuals did not choose to sign up for bulk advertisements over a billion times. The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the “Submit” or “I agree” box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.
You are never told who the affiliates are and groups like River City Media capitalize on that aspect. One line of the leaked chat logs explains it all very succinctly:
“The key is sincerity.  Once you can fake that…”

Legitimate companies do buy co-reg data, still. The problem is that there’s no real permission associated with the address. In the absolute best case scenario, permission is taken by the co-reg provider rather than given by the recipient. All too many co-reg vendors go out of their way to hide the fact that they will sell the addresses in their privacy policies. This isn’t transparent. This isn’t real permission.
One argument I’ve heard over and over about laws, particularly CASL, is that it’s targeting the wrong companies. As the argument goes, the real problem with spam is spammers, not legitimate companies. But CASL and other laws target legitimate companies. I never really bought into that argument as it’s clear to me a lot of the money supporting spammers comes from the legitimate companies spending real marketing funds.
Legitimate companies are paying third parties to send spam on their behalf and are profiting. For a long time brands have pretended they’re not responsible for the mail. This recent breach shows that they are paying spammers to send mail on their behalf.
Looks like maybe the laws are targeting the right companies.

After this was posted, River City Media sued Chris Vickery and others. https://www.courtlistener.com/docket/4685667/1/river-city-media-llc-v-kromtech-alliance-corporation/. The case was settled in September 2018. 

Related Posts

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted.  Let me try to sum up.

Read More

Spammer prosecuted in New Zealand

Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.

Read More