Sponsored by..

Monday, 12 November 2012

Cableforum.co.uk hacked?

Cableforum.co.uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:

NatWest : Helpful Banking
Dear Valued Member ;

To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access:




https://www.nwolb.com/Brands/NWB/images/backgrounds/widepod_header_bottom_purple_login.gif
    

© Legal Info – Security
© 2005-2012 National Westminster Bank Plc 


This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow.

So.. dutifully I pop across to Cableforum.co.uk and (changing my password en route) find the appropriate forum. It seems that the problem has already been spotted:

Here's one example:

So I received this email today:


Quote:
Date: Fri, 2 Nov 2012 10:15:08 -0400
From: NatWest Online [helpdesk@nwolb.com]
To: [removed]
Subject: Please Review Your Contact Details!!!


Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been
+temporarily locked. No further log in attempts will be accepted.

..etc...
The email was sent to an address I've only used to register on Cable Forum and is a series of random characters that spammers wouldn't just 'guess'. Just wondering if anyone else has had this email? 

That's odd. That's exactly the same as me. And then there's another one:

I had two emails sent to both the addresses registered here on Cable Forum. Not sure why the earlier thread was so hastily closed?
Slightly off topic, why can I not edit my email address here?
When I attempt to change it I get this: The email address you entered is already in use. If you have forgotten your password, please click here.
I have not forgotten my password, I was trying to change it as well as my email. 

These are very precise reports from people using unique sign-on addresses. You'd think that would be pretty good evidence. So, armed with that you'd expect a concerned "we'll look into it" response. But instead the replies are:

Spammers don't "pick" anything. Their software generates emails at random and, yes, that includes strings_of_gibberish @yourdomain.

This site has not sold your email address.
This site has not been hacked, cracked or compromised.

The end.

Thread closed.
and

Threads of the same topic that have been closed should not be re-opened/re-created no matter what the circumstances are.

This issue cropped up several months ago and I will repeat what was said then...

We do not believe our systems have been compromised. There was no evidence to suggest an intrusion or breach took place. If anyone has any *Strong* Evidence to suggest other wise then contact us using the contact link below.

Thank you. 
which prompted a response from the original reporter:

The only spam I had was today, didn't have any earlier. I did get an explanation from the mod that closed it about how he didn't feel the thread was useful and that it would attract unwanted replies. But I think preventing people from discussing the issue stinks of a cover up (whether it is or not).

It would be much better to at least post a link to that thread, or some sort of explanation of what they think is happening rather than a dismissive knee-jerk response that it didn't happen when three people have claimed to receive the same email (and Osem says it happened before). All I want is an explanation about what happened and a promise that security of MY data is important but I don't feel like I'm getting that.  
What's worse is that this isn't the first time that this has been reported. Here's another one:

Today I received a not-so-subtle phishing email pretending to come from Santander, sent to my one-off email address associated with my cableforum account. I registered my account in 2009 and it's the first time I get spam/phish on this address. I don't really care if CF was hacked since I used a unique pw/email, but maybe a warning to other users would be the polite thing to do... 

But going back even further shows this thread with a lot of evidence that an email address leak has occured. One person who seems to know their stuff points:

Your database has been dumped and the damage is done as far as spam is concerned
now the question is are you

1) going to stick your head in the sand and thow around accusations
or
2) man up and fix the problem 

One of the Cableforum team shows just how far they can bury their head in the sand

But seriously, all in all, getting back to the main issue, there is about 5 people receiving it to their CF registered e-mail address and reporting it here so far. Co-incidence, yes but a very weak one. 
How many people do you think use unique emails for each site? Not many. That sort of evidence is very, very strong.. especially with multiple reports. That comment got this withering rebuke:

It's not a co-incidence at all. The emails are clearly of the same content and arrived within a small interval of each other and to CF-specific registered email addresses. If you're saying this is purely by chance and that all these email addresses were just "guessed" up by some automated program, then you're in denial.
 But another member of the CF team shows that they just don't understand it at all:

Given the extremely weak evidence provided and this appearing to only affect a very small number of members i.e less than 10, we do not believe that our systems have been breached and as a result we believe this to be the actions of brute force spamming.
Really? All these people with unique email addresses report the same spam. And it just gets dismissed?

But if you have the same problem.. forget it. All threads have been closed, creating new threads on the matter has been banned. In denial much?

Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password.

Sadly, crap like this happens to good websites. And the best way to deal with it is to be honest and 'fess up so that members can act accordingly. Nobody likes to think that there site has been compromised, but in this case it clearly has been to some unknown extent.

I emailed Cableforum.co.uk to advise them (since new forum threads are banned). Let's see if I get a response..

Update: and other incidents are here and here.. so this isn't really an isolated problem.

Update 2:  predictably, raising the issue just gets the thread closed with the phrase "There is nothing to discuss and I am not interested in wild theories and stupid accusations that some how there is a cover up." Which just shows that there is a cover up..

Update 3:  and what is really ridiculous is that Cableforum mods are denying it, despite the fact that their site was recently hacked. And it isn't the first time, either.

4 comments:

Joy kumar saha SEO expert said...
This comment has been removed by a blog administrator.
Unknown said...

I use a unique mailing address for each site in the forum of site.com_@domain.com.

Example: blogger.com_20131009@

And I get spam to the address used by cableforum. Chances of a spammer using that mail address at my domain by chance?

Conrad Longmore said...

@Steve: the chances of getting random spam to an address like that are so close to zero as to be negligible. I got another one today "from" the Halifax, but I don't know if it is from the old data breach or a new one..

--x8- Cut here --------

Net Banking Re-Validation Process.

Dear Customer,

Your online details needs to be re-validated
. This is a routine update Halifax usually conduct to endeavor all our customer information is up to date and safe in our database.

To avoid loss of information and account, You are required to complete the following re-validating process through our secured gateway below.

Please Follow the link below to re-validate

Re-validate Here Through Our Secured Gateway

Note
Failure to update your account details within seventy two (72) hours of receiving this notice could lead to account being suspended and online access restricted.

Thank you for your cooperation.

Sincerely,
Halifax Online
Online Banking Security Unit

Unknown said...

Yes! I got the exact same mail to the cableforum address today. I've just added it to the filter now, but it is irritating that the admin/mods of that cesspit continue to ignore the complaints of its users.

What is more frustrating is the forum postings complaining of inserted javascript to the forum pages triggering anti-virus warnings are responded with "Should be ok now - some offending files removed. Thanks for reporting the problem.".

Well, how do you think those offending files got there?! Because a malicious attacker has complete access to your forum, and its user database, thats why. Clue less people.