cancel
Showing results for 
Search instead for 
Did you mean: 

Why PlusNet?

waldron
Grafter
Posts: 348
Registered: 28-07-2007

Why PlusNet?

Having read through the Webmail Incident Report a couple of times, there is one point which worries me. I note the phrases "malicious attack", "considerable amount of planning and expertise" and the fact that Russian involvement is suspected.

I can't help wondering why, out of all the ISPs in the world, a Russian source selected PlusNet for this attack. Have other ISPs which use Atmail also been attacked. If not, what is so 'special' about PlusNet that they should spend so much time and effort.

If (heaven forbid) there is some sort of vendetta against Plusnet, can we expect other attacks elsewhere in future.
17 REPLIES
J_i_m
Grafter
Posts: 54
Registered: 01-08-2007

Why PlusNet?

It's more likely that drive by probing discovered the potential security holes and an attack was organised and carried out purely to make some cash.

As long as PN get everything locked down, we should be safe.
N/A

Why PlusNet?

Anybody who thinks that this attack was aimed at Plusnet and not Atmail needs their head examined! When Russia invaded Estonia recently, the assets they used were very widely distributed. These assets are mainly use-once-and-throw-away. They need to be replaced. A very large exploit must be taking place -- PN is just more open about it than most.

What is worrying me slightly is that the original hackers are still sending the spam - they haven't sold us on - so they must be getting somewhere with it. Since I guess only a small fraction of the sites they're tempting us with are infected - a matter of disguise - then they can only be still growing their bot if lots of people are clicking on them.

Are PN doing anything to monitor suspicious traffic, or to advise their client base about cleaning and staying clean, or to liaise with anti-malware agencies about these suspicious sites?
dhumble
Grafter
Posts: 94
Registered: 19-08-2007

Why PlusNet?

avalon1 has hit the nail on the head. Working in I.T. myself, I can confirm that both my home and work web logs show regular probing for commonly used web applications and known security glitches. I noticed an upsurge before PN's problems and, even spent a week recoding my work's WordPress blog didn't get any more form injection.

Peeps are constantly trying to inject SPAM into my mail server or PHPBB2 forum. The joys of hosting a service. A constant cat 'n Mouse game it can be too.
N/A

Why PlusNet?

Quote
What is worrying me slightly is that the original hackers are still sending the spam - they haven't sold us on - so they must be getting somewhere with it.


Do you know this for certain?
It has been my assumption that the hackers already had their business plan well documented before they hacked PN and passed on the mailbox addresses within a few days. In fact, it might have been a 'hack-to-order-attack'.
N/A

Why PlusNet?

I agree with @gramway!

All the spam I received so far is the same, and it is in too small amounts to be coming from dedicated spammers. It is definitely not the assorted type that I see in my yahoo address that is displayed on a website.

I'm quite sure this is more a probe than ordinary spam. People who have clicked any of those links or received any of that spam mail in full html should have a good thorough scan of their system, especially those without the latest Windows security updates.
N/A

Why PlusNet?

Quote
I agree with @gramway!

All the spam I received so far is the same, and it is in too small amounts to be coming from dedicated spammers. It is definitely not the assorted type that I see in my yahoo address that is displayed on a website.

I'm quite sure this is more a probe than ordinary spam. People who have clicked any of those links or received any of that spam mail in full html should have a good thorough scan of their system, especially those without the latest Windows security updates.


I've received about 12-14 spams during today alone ...that's more than any other day so far. But I don't think that anything we know so far makes it more or less likely that the spammers and hackers are one and the same people. Truth is that nobody knows.
N/A

Why PlusNet?

Quote
Truth is that nobody knows.


Well presumably the spammers and/or hackers do :lol:

Sorry- couldn't resist
N/A

Why PlusNet?

True, we don't know. But, @toucano, none of my spam is "commercial" - they can't seriously be trying to sell ED pills or Photoshop software or a good night out. They are all trying to get me to click on a link, and I think I know what that means.... Unfortunately, if it is the FSB trying to grow the bot, they're unlikely ever to be caught and, even if they were, we'd never see a prosecution.
N/A

Why PlusNet?

And notice they aren't even trying to elude spam filters by disguising or mispelling key words.
N/A

Why PlusNet?

Quote
True, we don't know. But, @toucano, none of my spam is "commercial" - they can't seriously be trying to sell ED pills or Photoshop software or a good night out. They are all trying to get me to click on a link, and I think I know what that means....
[snip]

Possibly, I simply do not know.
So far I have assumed that some of the links for cheap copies of Adobe bloatware and pills are genuine offers from commercial spammers, but as you say they could be URLs to a whole new infection. The evidence is thin either way without taking the risk and clicking, which I would not advise anyone to do.
N/A

Why PlusNet?

Quote
And notice they aren't even trying to elude spam filters by disguising or mispelling key words.


Yes I've noticed that...Do you think that points to the spam coming from infected innocent PCs? and not a professional spamming outfit?
N/A

Why PlusNet?

I think 'real' spam also uses infected PCs. But as @granway says, this lot aren't trying to sell us anything. They're after something else: bots.
N/A

Why PlusNet?

Quote
I think 'real' spam also uses infected PCs. But as @granway says, this lot aren't trying to sell us anything. They're after something else: bots.


If you're right the perps look like very IT-savvy crims and their aim is not sell us anything but to spread their evil bot payload far and wide.
So we need to keep an eye out for real spams trying to sell us stuff ...at that point it would suggest the crims have sold our mailbox addresses to real spammers. If that doesn't happen, this current spam flood might fade away when the crims get bored and move on to something else or get shut down.
N/A

Why PlusNet?

If the spammers are after bots, could PlusNet set up a couple of honeypot PC's (using virtual machines) and get to blocking the bot traffic before it can spread?

Owners of infected machines could then be notified.

The only problem with this approach is that some malware is VM aware these days.