Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spammers Stymie UK Email

British ISP forced to shut down Web mail service due to 'unpatchable' vulnerability

More than 200,000 users of a popular British Internet service are without the ability to access email over the Web, thanks to a spam attack that the ISP is still struggling to resolve.

PlusNet, a popular low-cost service owned by BT, was forced to take its Web-based email servers offline last night following a hack that may have enabled a hacker to steal account information from its customers. The stolen data was used to launch a spam campaign on the victims, and a smaller number of users contracted Trojans as well, PlusNet says.

The problem was first discovered May 9, when PlusNet began to receive complaints of an unusually high degree of spam from some of its customers. Upon further investigation, PlusNet discovered that one of its six Webmail servers had been hacked, and the attackers had gotten away with one of its account lists.

"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent using our Webmail service," PlusNet says. This means the attack extends beyond PlusNet users to members of other email services, the ISP observes.

The ISP says the attack exploited a vulnerability that "cannot be patched," and therefore it is building new servers for its @Mail system. The company expects to restore email service to its customers tomorrow with a temporary fix, then add a more permanent server configuration next week.

PlusNet has not given details on the vulnerability, the exploit, the number of users affected, or even the makes of the servers or applications involved in the hack. Its notices to customers make multiple references to "the Webmail database," but it does not specifically state whether the data was stolen from a customer database or from an email account server.

"At present, we are working with our vendors and legal authorities, so cannot expand further on this," it said in a message yesterday. Presumably, the ISP is protecting this information until the involved vendors have been notified and given a chance to correct the problem, which is the usual procedure when a vulnerability is identified.

The ISP also did not speculate on the source of the attack, but it appears to suspect someone outside its organization and outside its user base. PlusNet has temporarily restricted its Web portal access to users who registered in the U.K. The company had originally planned to publish an incident report on Friday, but that report has now been postponed until Tuesday.

While it develops a more permanent fix, PlusNet says it will not deliver some types of email, including messages that originate from known spammer addresses and messages tagged as spam by its filtering system. "We are confident that these methods will only block email which is spam," the ISP says.

— Tim Wilson, Site Editor, Dark Reading

  • PlusNet plc Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
    PUBLISHED: 2020-06-06
    In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
    PUBLISHED: 2020-06-06
    In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
    PUBLISHED: 2020-06-06
    SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.