Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spammers Stymie UK Email

British ISP forced to shut down Web mail service due to 'unpatchable' vulnerability

More than 200,000 users of a popular British Internet service are without the ability to access email over the Web, thanks to a spam attack that the ISP is still struggling to resolve.

PlusNet, a popular low-cost service owned by BT, was forced to take its Web-based email servers offline last night following a hack that may have enabled a hacker to steal account information from its customers. The stolen data was used to launch a spam campaign on the victims, and a smaller number of users contracted Trojans as well, PlusNet says.

The problem was first discovered May 9, when PlusNet began to receive complaints of an unusually high degree of spam from some of its customers. Upon further investigation, PlusNet discovered that one of its six Webmail servers had been hacked, and the attackers had gotten away with one of its account lists.

"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent using our Webmail service," PlusNet says. This means the attack extends beyond PlusNet users to members of other email services, the ISP observes.

The ISP says the attack exploited a vulnerability that "cannot be patched," and therefore it is building new servers for its @Mail system. The company expects to restore email service to its customers tomorrow with a temporary fix, then add a more permanent server configuration next week.

PlusNet has not given details on the vulnerability, the exploit, the number of users affected, or even the makes of the servers or applications involved in the hack. Its notices to customers make multiple references to "the Webmail database," but it does not specifically state whether the data was stolen from a customer database or from an email account server.

"At present, we are working with our vendors and legal authorities, so cannot expand further on this," it said in a message yesterday. Presumably, the ISP is protecting this information until the involved vendors have been notified and given a chance to correct the problem, which is the usual procedure when a vulnerability is identified.

The ISP also did not speculate on the source of the attack, but it appears to suspect someone outside its organization and outside its user base. PlusNet has temporarily restricted its Web portal access to users who registered in the U.K. The company had originally planned to publish an incident report on Friday, but that report has now been postponed until Tuesday.

While it develops a more permanent fix, PlusNet says it will not deliver some types of email, including messages that originate from known spammer addresses and messages tagged as spam by its filtering system. "We are confident that these methods will only block email which is spam," the ISP says.

— Tim Wilson, Site Editor, Dark Reading

  • PlusNet plc Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    How to Identify Cobalt Strike on Your Network
    Zohar Buber, Security Analyst,  11/18/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: A GONG is as good as a cyber attack.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-11-23
    A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
    PUBLISHED: 2020-11-23
    A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
    PUBLISHED: 2020-11-23
    A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
    PUBLISHED: 2020-11-23
    TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
    PUBLISHED: 2020-11-23
    prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.