Sophisticated spam mails after data leak in company database

11/16/2011
G DATA Blog

A German company, selling printer ink cartridges online, fell victim to cyber attackers who stole parts of their customer data.

Tintencenter.com acknowledged the data leak and explained that the attackers gained access through a formerly unknown vulnerability in the shop’s system and collected email addresses and the provided shipping and billing addresses.
Reports in German consumer advice center forums suggest that a first wave of very sophisticated spam using the customers’ data appeared in August already. Some forum posts even suggest that some people received fake tintencenter.com emails although they have never been customers of this company. One can only speculate if the attackers maybe got hold of other companies’ databases and use all of them for their spam campaigns now.

In the recent case, the attackers used the data stolen at tintencenter.com to send order confirmation emails looking deceptively genuine – the number of spelling mistakes and odd phrases is remarkably low.
The attached PDF is currently rated as not malicious, but nonetheless you shouldn’t open it – later spam campaigns might include malicious attachments.

They want to lure the potential victims to a website they prepared themselves. The website’s domain is, again, very similar to the original. The chance to miss the small alteration is very high.

<thead></thead>
Original   Fake
www.tintencenter.comtihtencenter.com (recent campaign)
tintehcehter.com (campaign in August)

 

We can speculate what the attackers had in mind and can imagine two possible scenarios:

  1. The attackers prepared a convincing replica of the tintencenter.com website to phish further data. Prime targets would be the login credentials to the site and the customers’ bank account details or credit card data. If the attackers can get hold of this information they can compose a whole identity and use it for further fraud.
  2. The attackers prepared their own website and try to infect the visitors’ computers with any kind of malware by exploiting vulnerabilities on the machines.


What you, as a customer of tintencenter.com, can do now:

You might have received or maybe will receive order confirmations or invoices, allegedly sent by tintencenter.com, for goods you haven’t actually ordered – as described above. The attackers might also use your personal data to send you spam messages labeled with any other company’s name. Insurance spam messages and similar ones are a quite common consequence of this kind of data leak.

  • If you receive an email from a shop/service you have never used, ignore the email, delete it, but under no circumstances open attachments or click on URLs.
  • Never disclose any personal information and/or bank data - either via e-mail or on dubious websites.
  • Never transfer money to an unknown person.
  • As a preventive measure, change your login credentials on the original tintencenter.com website.
  • Enter website addresses with user logins manually or use your browser's Favourites function.


If you want to read more about the scamsters’ tricks regarding emails, feel free to read our G Data Whitepaper about “dangerous emails”, currently available in German, French, Dutch and Italian - more translations coming soon.