Sophos Cloud Optix
The UK branch of the ticketing firm Ticketmaster has warned its online customers that they might have received a series of unauthorised emails after its TicketWeb subsidiary’s mailing list system was compromised.
It appears that the first Ticketmaster knew of the security breach was when a customer informed them via Twitter on Saturday.
@jojowiththeflow Hey Jo, this isn't anything we've heard of at this time. To investigate, can you please follow us so we can DM you? Thanks!
— Ticketmaster (@Ticketmaster) February 11, 2012
Blogger David Cannings, shared more information about the unauthorised TicketWeb emails, which he discovered pointed to a bogus Adobe Reader download page.
The emails reportedly claimed that the recipient’s version of Adobe Reader was out of date and offered a link where a new version could be downloaded. Hardly the kind of email you would normally expect from Ticketmaster..
As regular readers of Naked Security should know well by now, the only place you should ever download an update to Adobe Reader (or indeed Adobe Flash) from is Adobe’s own website.
A spokesperson for the ticketing firm was keen to reassure customers that “no sensitive personal information or credit card information was vulnerable directly from the TicketWeb UK direct email marketing system during this incident.”
Of course, there are two problems here. As well as customers needing to be warned about the unauthorised emails sent via TicketWeb’s mailing list, Ticketmaster also needs to ensure that its various mailing lists can not be hacked again.
After all, customers will unsubscribe pretty quickly and take their business elsewhere if they find the email address that they have given Ticketweb, or or its parent firm Ticketmaster, is being used by spammers.
If a mailing list is compromised it can be a very effective way for fraudsters and cybercriminals to communicate maliciously with a firm’s customers, with the advantage of bearing all the hallmarks and headers of a legitimate email from a company they trust.
This is the sort of thing that causes me to use a vendor-specific email address with each vendor. (I've had surprisingly few instances in which an address leaked–one that did leaked around 1998, was at one point sent 400 spams a week, has been shut down for a long time (with no such address responses in SMTP) and still receives mailing attempts.That vendor no longer exists.)
–John
I told them at 2pm on Saturday – went to the bother of sending an email with all the headers. But they didn't tell users until Sunday. They hardly acted with "urgency."
I've been doing something similar for about 15 years and have had a handful leaked.
How do you configure the "no such address responses in SMTP"?