Virgin Media spoof email mystery: Customers take to Facebook

ISP: There has been no breach, no idea what you mean

Customers of Virgin Media who are increasingly convinced their service provider has been victim of a security breach have formed a Facebook group to share their experiences and push for answers.

Virgin Media is firmly denying any breach of its systems but users are equally adamant that the cause of a widespread and ongoing email spoofing problem must be down to a problem with the ISP.

The aggrieved customers say the issues at Virgin Media began in September last year, around the time the service provider migrated from the Google platform to its own. This was accompanied by some spamming, as we reported at the time, but this was only one aspect of a bigger and ongoing mail security problem – at least, according to disgruntled customers.

According to this group, Virgin Media somehow managed to leak email addresses and address books held on its servers to hackers. Within days of the migration, ntlworld and blueyonder accounts were spoofed to distribute spam messages in junk mail runs limited to email addresses those users had previously been in contact with.

“Around 70 of us have had our email web accounts compromised and [believe] that the spammer is sending out spoofed email to everyone in our sent/received items,” Simon, a victim of the apparent breach – who says he has worked in IT for 20 years – told El Reg. “Each email to five of these contacts contains a link to a compromised website with the aim of infecting a new PC. A spoofing event happens about every 3-4 weeks causing a large number of bounce-backs to the victim.”

Virgin Media customers started to receive batches of undelivered email reports at the time the service provider changed its email platform last September and the problem remains unresolved, with spoofed emails still circulating.

Virgin Media: It ain't us, guv

In a statement, Virgin Media acknowledged its customers were experiencing a spoofed messages problem while firmly denying that a breach on its systems had precipitated the unwelcome behaviour.

Ensuring customer data is secure is of utmost importance to Virgin Media. There has been no breach of our systems and our email platform is not the cause of reported email spoofing. We have advised customers how best to protect their email accounts from spoofing.

The change of email platform meant that some emails (e.g. bouncebacks) that Gmail would have delivered to a customer’s junk box became visible in customers' inboxes, a Virgin Media PR representative added.

The statement issued to El Reg dovetails with what the ISP has been telling its customers for months, a line that’s hard to disprove but has nonetheless failed to placate disgruntled users.

Simon said the issue has caused him all sorts of inconvenience. He described Virgin’s statement and the position it reflects as “utterly implausible”.

“Virgin have a good description of what spoofing is on their website and are making the claim that the increase post migration is due to the fact that their spam filters are not as good,” he said. “This is just not true as when a spoofing event happens I get several calls / email texts from irate friend colleagues and customers telling me I’ve been hacked and it’s only happened since the migration.”

“It caused me personally a great amount of embarrassment and there is nothing that can be done to solve the problem now the addressees are out there. In trying to fix the symptoms of the problem, Virgin are now blocking swathes of legitimate email. The whole thing is a disaster and I am about to move to a new email provider, which is a significant pain as this has been my email address for 20+ years,” he concluded.

'Targeted' recipients

Other Virgin Media users caught up in the spamming and spoofing storm remain equally frustrated.

“When we looked at the emails, it was clear we had not sent them – they were spoofs,” explained Kate B, a Virgin Media customer who has also been in touch with El Reg about the issue. “What was more concerning was that the recipients were targeted.

“They were all people who had email contact with the VM account. This includes people who were cc'd in emails sent and received years ago. They were not in any address books,” she added.

Aggrieved punters have been complaining about the issue to Virgin Media but it has consistently denied any wrongdoing. Instead the ISP is blaming message storm problems on individual customers. Call centre staff are telling aggrieved punters to run various security checks on their computers and to change passwords, actions that don’t really tackle the problem, according to activist customers.

“This is the not the issue,” another aggrieved user, AnnHelen P, told El Reg. “These email addresses [are] held in the address books or in emails on the Virgin Media web servers, not from customers’ computers. As a result, spoofed emails are being sent between the email addresses that were captured.

“Also since many of the email addresses leaked have been for email addresses that no longer exist, many of these emails bounce back to the spoofed sender address,” she added.

Complaints to the Information Commissioner

Several customers have complained about Virgin Media to data privacy watchdogs at the Information Commissioner's Office (ICO). Asked to comment on the issue, an ICO spokeswoman told El Reg said: “We are aware of this issue and are making enquires.”

She declined to answer follow-up questions from El Reg on whether or not Virgin Media was co-operating with its inquiries, explaining that the ICO has a policy of not commenting on ongoing inquiries.

Virgin Media’s community forums are full of threads on the spoofing/malicious spam issue (examples: "Recieved about 20 of these, has my e-mail or system been hacked, virus, what's going on?" here; "email hacked?" here; "How does spoofer access my contact list?" here; "Outward spam emails being sent from my .ntlworld address" here; and "Email Spam Spoofing" here.

Nonetheless, Virgin Media is sticking to its official line (see under email spoofing here) and maintaining that its customers are to blame for any problems they may be experiencing. VM has steadfastly stated there was no data breach but has not provided any information on how it managed to clear itself of any involvement in the ongoing malfeasance, aggrieved customers tell El Reg.

In response, frustrated customers recently started a Facebook group on the issue, dubbed Virgin Media Email Problems - Spoofing, Hacked, Data Breach?. The group is designed to allow people whose emails have been compromised to exchange and pool their experiences.

“We are not getting anywhere with Virgin,” AnnHelen P said. “We do realise that the emails are now out there and nothing can be done about that. We do, however, wish to know exactly what information these hackers were able to access, how it happened in the first place and how widespread this breach is.”

Kate B added: “We are worried there has been a data breach. If VM does not know how it happened, how can they prevent it happening again? We are also very concerned that information was harvested from inside of our old emails... What else was taken?”

She concluded: “We have found it hard to raise the profile of this issue. Many of the people in the group are IT professionals and very savvy; we estimate there are very many others who have been targeted but remain unaware.” ®

Other stories you might like

Biting the hand that feeds IT © 1998–2021