Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spammers Stymie UK Email

British ISP forced to shut down Web mail service due to 'unpatchable' vulnerability

More than 200,000 users of a popular British Internet service are without the ability to access email over the Web, thanks to a spam attack that the ISP is still struggling to resolve.

PlusNet, a popular low-cost service owned by BT, was forced to take its Web-based email servers offline last night following a hack that may have enabled a hacker to steal account information from its customers. The stolen data was used to launch a spam campaign on the victims, and a smaller number of users contracted Trojans as well, PlusNet says.

The problem was first discovered May 9, when PlusNet began to receive complaints of an unusually high degree of spam from some of its customers. Upon further investigation, PlusNet discovered that one of its six Webmail servers had been hacked, and the attackers had gotten away with one of its account lists.

"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent using our Webmail service," PlusNet says. This means the attack extends beyond PlusNet users to members of other email services, the ISP observes.

The ISP says the attack exploited a vulnerability that "cannot be patched," and therefore it is building new servers for its @Mail system. The company expects to restore email service to its customers tomorrow with a temporary fix, then add a more permanent server configuration next week.

PlusNet has not given details on the vulnerability, the exploit, the number of users affected, or even the makes of the servers or applications involved in the hack. Its notices to customers make multiple references to "the Webmail database," but it does not specifically state whether the data was stolen from a customer database or from an email account server.

"At present, we are working with our vendors and legal authorities, so cannot expand further on this," it said in a message yesterday. Presumably, the ISP is protecting this information until the involved vendors have been notified and given a chance to correct the problem, which is the usual procedure when a vulnerability is identified.

The ISP also did not speculate on the source of the attack, but it appears to suspect someone outside its organization and outside its user base. PlusNet has temporarily restricted its Web portal access to users who registered in the U.K. The company had originally planned to publish an incident report on Friday, but that report has now been postponed until Tuesday.

While it develops a more permanent fix, PlusNet says it will not deliver some types of email, including messages that originate from known spammer addresses and messages tagged as spam by its filtering system. "We are confident that these methods will only block email which is spam," the ISP says.

— Tim Wilson, Site Editor, Dark Reading

  • PlusNet plc Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.