The Patient Spammer and the Cloud

Whenever I sign up to an online service, I use a unique email address. That way when spam starts coming in I can see whose fault it is. I’m suddenly getting rather a lot of spam, sent from disposable email accounts (e.g. Yahoo) and directing me to various scam websites registered in Russia. All at once, from multiple vectors. That’s the part that worries me; here’s why.

First: here is the list of organisations that have leaked my email address to spammers (most probably because they have been compromised):

  • Ning (probably through the Association of Virtual Worlds, which has published its entire membership list as a PDF including everyone’s email addresses)
  • Amnesty International (probably by publishing my email address on a petition)
  • Palmgear (yes, I was a huge Palm fan, long ago)
  • Reqall (an iPhone app with an online service – I prefer Evernote, who have also never leaked my email address to spammers)
  • socialthing (now AOL LifeStream, and utterly uninteresting to me)
  • Skitch (dammit, I like Skitch!)
  • ServiceCentral – a service to book tradespeople to come and break your plumbing.
  • Whrrl (some kind of location-based iPhone game thing).
  • 3Dexplorer.
  • Spotlight – I’m a “VIP member” of this store, which apparently means that I want Russian spammers to sell me a counterfeit watch.
  • Webjam – I presented at Webjam once, so this may not be a leak from their website – I gave out this address to the entire audience so anyone there could be the source of the leak.
  • Saasu – online (cloud) accounting. If I can’t trust them with my email address, I’m not going to trust them with my financial data.
  • Xero – as above. This is a pretty severe problem in both cases; I’ve signed up for free trials of two cloud accounting services and both have leaked my email address to Russian spammers.

I’m getting about 40 spams a day at the moment, all through the above vectors. I’m redirecting those email addresses into the void now.

(I’m getting about another 40 spams each day to my ACM and SIGGRAPH addresses, but those are all obvious enough that Apple Mail’s spam filters are catching them for me. And oddly, none of those are in English.)

I’ve been signing up for online services this way for a long time, and it’s only recently that they have become a serious vector for spam. And the spam is pretty consistently for the same group of Russian-registered sites.

I wonder how long my personal information has been accumulating, being leaked, then sold, then finally used. I wonder whether other cloud services that I’m actually using have been compromised (as opposed to ones I’ve only signed up for and not entered data into). I wonder how long the attackers will wait, accumulating more personal information on us, and how damaging the resulting identity-theft storm might be.

One Response to “The Patient Spammer and the Cloud”

  1. viveka says:

    Followup: in almost all cases the torrent of Russian spam started at the end of June 2010, preceded by a trickle of spam for fake PDF Reader trojan horses that started in September 2009.

    It looks like this breachmay be a common source of the leak. A sham that Whrrl didn’t feel free to name and shame the leaker.

Leave a Reply to viveka