Beware attacks from possible no-spam list leak

Evidence has surfaced that an old copy of the “do not contact” (DNC) list administered by the Direct Marketing Association of South Africa (DMASA) has leaked and is in the hands of cyber-criminals.

The DNC list is a mechanism that was intended to let people opt-out of receiving any direct marketing material from DMASA members.

Prior to the first reports of the list leaking, the DMASA hosted a sign-up form on its website that requested information such as a user’s name, South African ID number, telephone numbers, and e-mail address.

Based on reports from within the industry, the list generated from these sign-ups had around 39,000 registrations and was passed around in a password protected file for marketers to check against their own databases.

When reports of the leak first surfaced (March-April 2011), the DMASA confirmed that the DNC list was around 39,000 strong, but held firm that there was no evidence that the list had leaked.

Asked about the leak, COO of the DMASA, Alastair Tempest explained that they took action immediately even though they found no “conclusive proof” that the list had leaked.

“We did, however, brief our lawyers to take immediate action to protect our IP had the leak been proved,” Tempest said.

Tempest added that marketers now submit their databases to a secure online system that removes anyone that has indicated they do not want to be contacted.

Members no longer receive the DNC database with which to manually “clean” their own lists.

Alastair Tempest

Phishing attack after DNC registration

The experience of one tech-savvy (and spam-averse) South African suggests that the DMASA’s previous list has not only leaked, but is in the possession of fraudsters trying to illegally gain access to South African bank accounts.

Jan Gutter used a specially created address on his domain to register on the DMASA’s previous DNC system in 2011, and at the start of October 2012 received an e-mail on that address containing a phishing attack.

The e-mail purported to be from a bank and contained the following text:

Dear Customer,

A debit order for life insurance from Liberty Life was placed on your account this morning and we have been instructed to deduct R1870 from your account today

If you don’t want to authorized this debit order, please click here to Login [link removed] and follow subsequent steps.

Regards,
Security Department

Gutter reported the issue to the DMASA, but said that one of their counter-arguments was that the address he used had a three letter username.

According to Gutter, he doesn’t receive spam on any other three letter e-mail addresses.

Further requests for comment on the issue yielded only silence from the DMASA.

Assume the worst

It is recommended that users that registered with the DMASA’s DNC list before they switched to the new system be on the lookout for malware and phishing attacks.

It’s worth noting that since reports of the leak, the DMASA has switched to a system where marketers submit their lists for cleaning rather than giving marketers the DNC database.

A competing opt-out service run by TrustFabric has used a similar method of pruning direct marketing lists since its inception.

Earlier this year (April 2012), a TrustFabric spokesperson said that the Consumer Protection Act gives South Africans the right to block direct marketing by adding their contact details to an opt-out list.

“An official National Opt-out list is yet to be appointed,” TrustFabric said.

It is understood that nothing much has changed in the last six months, with one industry insider commenting that the interim leadership at the National Consumer Commission is unlikely to make any decisions on the matter.

Related articles

Direct Marketing Association hits back

Spam opt-out lists: TrustFabric versus DMASA

DMASA website hosting malware?