Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Spammers Stymie UK Email

British ISP forced to shut down Web mail service due to 'unpatchable' vulnerability

More than 200,000 users of a popular British Internet service are without the ability to access email over the Web, thanks to a spam attack that the ISP is still struggling to resolve.

PlusNet, a popular low-cost service owned by BT, was forced to take its Web-based email servers offline last night following a hack that may have enabled a hacker to steal account information from its customers. The stolen data was used to launch a spam campaign on the victims, and a smaller number of users contracted Trojans as well, PlusNet says.

The problem was first discovered May 9, when PlusNet began to receive complaints of an unusually high degree of spam from some of its customers. Upon further investigation, PlusNet discovered that one of its six Webmail servers had been hacked, and the attackers had gotten away with one of its account lists.

"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent using our Webmail service," PlusNet says. This means the attack extends beyond PlusNet users to members of other email services, the ISP observes.

The ISP says the attack exploited a vulnerability that "cannot be patched," and therefore it is building new servers for its @Mail system. The company expects to restore email service to its customers tomorrow with a temporary fix, then add a more permanent server configuration next week.

PlusNet has not given details on the vulnerability, the exploit, the number of users affected, or even the makes of the servers or applications involved in the hack. Its notices to customers make multiple references to "the Webmail database," but it does not specifically state whether the data was stolen from a customer database or from an email account server.

"At present, we are working with our vendors and legal authorities, so cannot expand further on this," it said in a message yesterday. Presumably, the ISP is protecting this information until the involved vendors have been notified and given a chance to correct the problem, which is the usual procedure when a vulnerability is identified.

The ISP also did not speculate on the source of the attack, but it appears to suspect someone outside its organization and outside its user base. PlusNet has temporarily restricted its Web portal access to users who registered in the U.K. The company had originally planned to publish an incident report on Friday, but that report has now been postponed until Tuesday.

While it develops a more permanent fix, PlusNet says it will not deliver some types of email, including messages that originate from known spammer addresses and messages tagged as spam by its filtering system. "We are confident that these methods will only block email which is spam," the ISP says.

— Tim Wilson, Site Editor, Dark Reading

  • PlusNet plc Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-18216
    PUBLISHED: 2019-10-20
    ** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
    CVE-2019-18214
    PUBLISHED: 2019-10-19
    The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
    CVE-2019-18202
    PUBLISHED: 2019-10-19
    Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
    CVE-2019-18209
    PUBLISHED: 2019-10-19
    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
    CVE-2019-18198
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.