Size of the Problem at Virgin Media
Number of self-reported cases: About 418
Number of self-reported cases for which email addresses specified: 206
Number of known Virgin Media email addresses with this problem not self-reported: 185
Overlap between self-reported cases and those from another source: 6
Number of known Virgin Media email addresses with this problem: 391
Total number of identified Virgin Media cases: About 597
Estimated number of Virgin Media cases: 6,400.
Type of Email Address
Virgin Media provides email service under four domains. Each has some cases of this spoofing. Tables 1 and 2 below show the distribution of cases by email domain as a percentage and number. Without knowing the number of email addresses in each domain, it is not possible to know the significance of this distribution. Does anyone have information about the relative number of addresses on each domain?Table 1. Email Domains by Percentage for 391 Cases
30% : @blueyonder.co.uk
50% : @ntlworld.com
13% : @virginmedia.net
7% : @virgin.com
Table 2. Number of Cases By Email Domain for 391 Cases.
120: @blueyonder.co.uk
194 : @ntlworld.com
50 : @virginmedia.net
27 : @virgin.com
Symptoms of the Spoofing
People with accounts with this issue frequently discover the problem when their friends let them know that they have received an odd spam message with a link from them together with the mailbox being clogged with a large number of messages about emails which could not be delivered. Tables 3 and 4 below shown how many people report each symptom.
Table 3. Symptoms by Percentage of Accounts as Reported in 116 Cases.
95%: Large number of emails returned to you about messages which cannot be delivered, for emails you did not send.
Table 4. Symptoms by Number of Accounts as Reported in 116 Cases.
77: Friends and colleagues tell you that they have received "odd" messages from you.
110: Large number of emails returned to you about messages which cannot be delivered, for emails you did not send.
Table 5. Age of Email Accounts
1: Four-and-a-half years old
4: Five years old
1: Six years old
7: Seven years old
4: Eight years old
5: Nine years old
10: Ten years old
19: More than ten years old
1: Eleven years old
11: Twelve years old
10: Thirteen years old
6: Fourteen years old
36: Fifteen years old
11: More than fifteen years old
12: Sixteen years old
1: Seventeen years old
10: Eighteen years old
1: Nineteen years old
18: Twenty years old
4: More than twenty years old
2: Twenty-one years old
0: Twenty-two years old
1: Twenty-three years old
1: Twenty-four years old
1: More than twenty-five years old.
Table 6. Actions Taken by 108 Virgin Media account holders as a percentage.
70% : Called Virgin Media one or more times to report problem
38% : Filled in the Virgin Media Net Report form
29% : Wrote in to the Virgin Media Community forum
6% : Made contact with the Chief Executive's Office at Virgin Media.
Table 7. Actions Taken by 108 Virgin Media account holders by numbers.
75: Called Virgin Media one or more times to report problem
33: Filled in the Virgin Media Net Report form
32: Wrote in to the Virgin Media Community forum
8: Made contact with the Chief Executive's Office at Virgin Media.
Table 8. Length of Time Since Email Password Changed Before Spoofing Began by Numbers for 223 Responses.
3: Weeks
60: Months
153: Years.
Table 9. Length of Time since Email Password Change Before Spoofing Began as a Percentage for 223 Responses.
1%: Weeks
30%: Months
69%: Years.
Table 10. Percentage of 172 Virgin Media Addresses Found in Hacks
41% : Not known to have been stolen
24% : Adobe
30% : Linked-In
5% : MoneyBooker
18% : MySpace
2% : Neopets
3% : Tumblr
Table 11. Number of 172 Virgin Media Addresses Found in Hacks
70 : Not known to have been stolen
41 : Adobe
51 : Linked-In
8 : MoneyBooker
32 : MySpace
3 : Neopets
6 : Tumblr.
Table 12. Number of Self-Reported Cases By Month of Onset of Spoofing
1: August 2015
56: September 2015
32: October 2015
3: November 2015
9: December 2015
2: January 2016
6: February 2016
4: March 2016
6: April 2016
9: May 2016
5: June 2016
3: July 2016
2: August 2016
2: September 2016
0: October 2016.
Table 13. Accounts Locked by Virgin Media by Percentage of 186 Cases.
48%: Locked
48%: Not Locked Yet
3%: Not Sure.
Table 14. Accounts Locked by Virgin Media by Numbers.
41: Yes
89: No
7: Not sure
29: Received one or more letters by post.
5: Received one or more texts.
15: Received both letter/s and text/s.
Table 15. Use of web mail and browsers as a percentage of 174 responses.
36%: Not using web mail
30%: Use web mail with Chrome
21%: Use web mail with Firefox
10%: Use web mail with Internet Explorer or Microsoft Edge
6%: Use web mail with Safari
0.6%: Use web mail with Pale Moon.
Table 16. Use of web mail and browser by numbers.
62: Not using web mail
56: Use web mail with Chrome
41: Use web mail with Firefox
17: Use web mail with Internet Explorer or Microsoft Edge
11: Use web mail with Safari
1: Use web mail with Pale Moon.
Table 17. Antivirus and malware programs used to search for infection on computers and mobile devices.
2: None
1: Not certain of program name/s.
6: Avast
6: AVG AntiVirus
2: F-Secure
3: Kapersky
13: Malwarebytes
3: Norton
1: Panda Security
4: Spybot S&D
2: Symantec EndPoint Protection
1: 360 Total Security.
Table 18. Methods used to find the Facebook group for 19 responses.
10: Google search.
4: Link from another web site.
5: Someone on the Virgin Media Community forum told me about it.
77: Friends and colleagues tell you that they have received "odd" messages from you.
110: Large number of emails returned to you about messages which cannot be delivered, for emails you did not send.
Age of Email Accounts
One of the consistent findings for these spoofing cases at Virgin Media is that the email accounts are not new. Many of those affected by this spoofing problem have owned their email account for more than 15 years. Table 5 below shows the age of affected Virgin Media email accounts.Table 5. Age of Email Accounts
1: Four-and-a-half years old
4: Five years old
1: Six years old
7: Seven years old
4: Eight years old
5: Nine years old
10: Ten years old
19: More than ten years old
1: Eleven years old
11: Twelve years old
10: Thirteen years old
6: Fourteen years old
36: Fifteen years old
11: More than fifteen years old
12: Sixteen years old
1: Seventeen years old
10: Eighteen years old
1: Nineteen years old
18: Twenty years old
4: More than twenty years old
2: Twenty-one years old
0: Twenty-two years old
1: Twenty-three years old
1: Twenty-four years old
1: More than twenty-five years old.
Actions Taken to Report Problem
The chronic nature of this problem and the damage done to the victim's personal and professional relationships as the spoofing continues at irregular intervals means that many of those affected seek information from their email provider about the cause and solution. Tables 6 and 7 below list the actions taken by a subset of affected Virgin Media account holders.Table 6. Actions Taken by 108 Virgin Media account holders as a percentage.
70% : Called Virgin Media one or more times to report problem
38% : Filled in the Virgin Media Net Report form
29% : Wrote in to the Virgin Media Community forum
6% : Made contact with the Chief Executive's Office at Virgin Media.
Table 7. Actions Taken by 108 Virgin Media account holders by numbers.
75: Called Virgin Media one or more times to report problem
33: Filled in the Virgin Media Net Report form
32: Wrote in to the Virgin Media Community forum
8: Made contact with the Chief Executive's Office at Virgin Media.
How Long since Password Change
Many email account holders with this problem had not changed their email account password for years before the spoofing began as shown in Tables 8 and 9 below. Virgin Media has no password-expiration policy and allows a password length between six and ten characters.Table 8. Length of Time Since Email Password Changed Before Spoofing Began by Numbers for 223 Responses.
3: Weeks
60: Months
153: Years.
Table 9. Length of Time since Email Password Change Before Spoofing Began as a Percentage for 223 Responses.
1%: Weeks
30%: Months
69%: Years.
Email Addresses Found in Large Hacks
It is unfortunately a common behaviour to reuse an email password on other websites. During the past few years, there have been a number of large data breaches in which email addresses and web-site passwords were stolen. The web page "have i been pwned" allows one to check an email addresses to see what information has been stolen. Checking the affected Virgin Media email addresses gives the results in Tables 10 and 11 below.Table 10. Percentage of 172 Virgin Media Addresses Found in Hacks
41% : Not known to have been stolen
24% : Adobe
30% : Linked-In
5% : MoneyBooker
18% : MySpace
2% : Neopets
3% : Tumblr
Table 11. Number of 172 Virgin Media Addresses Found in Hacks
70 : Not known to have been stolen
41 : Adobe
51 : Linked-In
8 : MoneyBooker
32 : MySpace
3 : Neopets
6 : Tumblr.
Month when Spoofing Began
While the first reports of this epidemic of spoofed emails being sent to addresses stolen from Virgin Media accounts appear to date from August 2015 and correspond to the time when Virgin Media was in the process of moving email accounts from Google hosting to a Dovecot-based system with an Open-Xchange OX App Suite front-end, there have been new cases each month, long after the mailbox moves completed as shown in Table 12 below.Table 12. Number of Self-Reported Cases By Month of Onset of Spoofing
1: August 2015
56: September 2015
32: October 2015
3: November 2015
9: December 2015
2: January 2016
6: February 2016
4: March 2016
6: April 2016
9: May 2016
5: June 2016
3: July 2016
2: August 2016
2: September 2016
0: October 2016.
Account Locked By Virgin Media
A significant number of Virgin Media accounts holders with this problem report that Virgin Media has changed their account password, locking them out of the account. In many cases, this action is associated with a postal letter which arrives some days later or a text at the time. The results in Tables 13 and 14 below are likely to underestimate the actual number of accounts which have been locked, since the account/s may have been locked later, after the survey has been completed.Table 13. Accounts Locked by Virgin Media by Percentage of 186 Cases.
48%: Locked
48%: Not Locked Yet
3%: Not Sure.
Table 14. Accounts Locked by Virgin Media by Numbers.
41: Yes
89: No
7: Not sure
29: Received one or more letters by post.
5: Received one or more texts.
15: Received both letter/s and text/s.
Web Mail Use
As Tables 15 and 16 below show, a large portion of Virgin Media users with this spoofing problem do not use web mail. As a result, we can rule out a web-mail vulnerability as the method by which accounts have been accessed. The distribution of browser use is in line with current expected popularity of browsers, with Chrome and Firefox being more popular than Internet Explorer and Safari.Table 15. Use of web mail and browsers as a percentage of 174 responses.
36%: Not using web mail
30%: Use web mail with Chrome
21%: Use web mail with Firefox
10%: Use web mail with Internet Explorer or Microsoft Edge
6%: Use web mail with Safari
0.6%: Use web mail with Pale Moon.
Table 16. Use of web mail and browser by numbers.
62: Not using web mail
56: Use web mail with Chrome
41: Use web mail with Firefox
17: Use web mail with Internet Explorer or Microsoft Edge
11: Use web mail with Safari
1: Use web mail with Pale Moon.
AntiVirus Searches
Many people with this problem have searched using a wide variety of antivirus and malware programs to see if they could find a problem. Table 17 below lists some of the programs used by survey respondents. So far after more than a year, no virus or malware has been found to be the cause of this problem.Table 17. Antivirus and malware programs used to search for infection on computers and mobile devices.
2: None
1: Not certain of program name/s.
6: Avast
6: AVG AntiVirus
2: F-Secure
3: Kapersky
13: Malwarebytes
3: Norton
1: Panda Security
4: Spybot S&D
2: Symantec EndPoint Protection
1: 360 Total Security.
Found the Facebook Group
Respondents to the survey found the Facebook group with a variety of methods.Table 18. Methods used to find the Facebook group for 19 responses.
10: Google search.
4: Link from another web site.
5: Someone on the Virgin Media Community forum told me about it.
No comments:
Post a Comment
Comments are welcome in all languages.