PDA

View Full Version : Is CRPA selling its email list to spammers?


ke6guj
05-10-2009, 11:38 PM
I received an SPAM email from buydraciaproducts.com today sent to an email address I created specifically for CRPA. Actually the email address got the beginning of it cut off, and it ended up in my catch-all address, but the CRPA portion was still there.

It had all my contact info included for an order I supposedly placed. Funny that it listed a munged version of my CRPA address that I haven't typed since I joined a couple months ago.

NotSoFast
05-11-2009, 7:22 AM
Call CRPA and report it. Let them know what happened and that you are dissatisfied.

Mezcalfud
05-12-2009, 6:24 PM
could also be your email host. yahoo somehow knows what I buy on amazon? adelphia and now time warner spam(ed) too.
oh and somehow my misspelled name that my cc company can never fix, is on spam also and they do not haave my email address? how?

ke6guj
05-12-2009, 10:02 PM
oh, it gets better. I got a call from my CC's fraud dept today and it appears someone went on a shopping spree with my CC, including trying to get airline tickets to Swizerland. One CC charge was to the website I mentioned above.

It appears that either CRPA or their CC merchant got compromised and my CC info, email address, and contact info was snagged, or my computer was compromised on my end. I doubt it was my computer. I routinely scan for spyware, and just did scans with HiJack this, ad-aware, and malwarebytes. No issues on my end.

Californio
05-13-2009, 10:27 AM
I got a new credit card out of the blue a month ago, issuer claimed one of the transaction companies got hacked and they were canceling all cards and issuing new ones. There was a big hack of the transaction system.

rweller
05-17-2009, 6:18 AM
I received an SPAM email from buydraciaproducts.com today sent to an email address I created specifically for CRPA. Actually the email address got the beginning of it cut off, and it ended up in my catch-all address, but the CRPA portion was still there.

It had all my contact info included for an order I supposedly placed. Funny that it listed a munged version of my CRPA address that I haven't typed since I joined a couple months ago.

CRPA does not sell information to spammers. Our membership info is highly classified, not unlike NRA and is never made public, sold, sent to anyone, including NRA for any reason.

Secondly, our site is beyond secure. I've been around a lot of company level systems, but CRPA's network security is frankly so complex and secure, it's ridiculous. It is very tightly controlled. The website provider is very secure as well.

I suspect the problem might be your email provider, or a harvester that picked up your email automatically. It happens all the time. There is no such thing as a hidden email, unless you use a third party service to make your email anonymous, which is popular in Europe and becoming more popular in the U.S.

Ralph
CRPA Board Member

rweller
05-17-2009, 6:56 AM
oh, it gets better. I got a call from my CC's fraud dept today and it appears someone went on a shopping spree with my CC, including trying to get airline tickets to Swizerland. One CC charge was to the website I mentioned above.

It appears that either CRPA or their CC merchant got compromised and my CC info, email address, and contact info was snagged, or my computer was compromised on my end. I doubt it was my computer. I routinely scan for spyware, and just did scans with HiJack this, ad-aware, and malwarebytes. No issues on my end.

A little more on this. I've operated a commercial site for a number of years now and have some experience in CC processing online.

Credit card companies are very concerned about CC fraud for obvious reasons, but they acknowledge through various studies over the past few years that CC fraud is far more likely to occur as a result of an over-the-counter transaction in a restaurant than online. What ends up happening, once they have the number, they use it online, hence the idea that it must have been stolen online, which is almost always not the case. It got lifted when you handed it to a waiter or waitress, or handed it to store clerk and it was very quickly electronically hi-jacked. It's an industry and it's not uncommon for more than one person in a brick and mortar business being involved in the scam. Within 24 hours the card number is out and distributed to another location in the country, or even overseas. It's a big business. Credit card companies acknowledge that online transactions are very secure. Online sites are required to maintain certain security measures or lose their ability to process CC transactions online.

I can't speak for all commercial sites, but I do know the CRPA's URL and shopping cart service well enough to know that their site is very very secure.

As for the other comment made by someone else, yes a card processor back east had its system compromised, which is a prime target for hackers. But, that affects everyone, including brick and mortar stores that use their service to process cards. As I understand it, they weren't intercepting transactions, but hacked into their main system and pulled data out, which can be a result of everything from lousy security, which is unlikely, or an inside job, which I believe as being more likely. These things don't generally happen with one person wearing pajamas in his bedroom hacking into a secure system. There's always more to the story.

I really wish restaurants would employ secure 'at-the-table' transactions instead of handing my card to someone. I really don't like the idea of my CC walking away for several minutes. It can easily be scanned and I'm screwed. This is the number one reason for card number thefts and it's a growing problem.

If CRPA's system was compromised, we would have heard by now of a problem, either through the credit card system or other members. We've heard nothing, so I have to assume your card was compromised somewhere else. I know that doesn't help your situation. I've been there and it is a pain in the you know what to fix. But, if you persist, you might get the answer you need from your CC card company as to how it was compromised, if they know. Sometimes they won't talk about it and they know what the problem is. They don't like the bad press so they make consumers believe it was a random hi-jacking when in fact they had a major compromise in their system or the system of a major CC processor.

I've had my checking account compromised as well, which is even a bigger pain to deal with. Trying to close down a checking account with checks outstanding creates bounced checks all over the place, and you can well imagine how that goes over with various companies you paid with a check.

Ralph

ke6guj
05-17-2009, 12:23 PM
Credit card companies are very concerned about CC fraud for obvious reasons, but they acknowledge through various studies over the past few years that CC fraud is far more likely to occur as a result of an over-the-counter transaction in a restaurant than online. What ends up happening, once they have the number, they use it online, hence the idea that it must have been stolen online, which is almost always not the case. It got lifted when you handed it to a waiter or waitress, or handed it to store clerk and it was very quickly electronically hi-jacked. It's an industry and it's not uncommon for more than one person in a brick and mortar business being involved in the scam. Within 24 hours the card number is out and distributed to another location in the country, or even overseas. It's a big business. Credit card companies acknowledge that online transactions are very secure. Online sites are required to maintain certain security measures or lose their ability to process CC transactions online.

I can't speak for all commercial sites, but I do know the CRPA's URL and shopping cart service well enough to know that their site is very very secure.

Ralph

I would agree with you on the bolded part except that one of the on-line orders was placed with a munged up version of my CRPA address, and there is no way that someone could randomly match up my email address, name and billing address, and CC number from an over-the-counter swipe and place an on-line order. All that info had to be captured at the same time. So, it either had to be comprimised on my computer (possible, but no trace of any spyware, spamware, or viruses can be found), or somewhere on CRPA's end. If nobody else reports any problems with their email/credit cards after a CPRA transaction, then I'd assume that somehow it happened on my end.

rweller
05-17-2009, 3:12 PM
I would agree with you on the bolded part except that one of the on-line orders was placed with a munged up version of my CRPA address, and there is no way that someone could randomly match up my email address, name and billing address, and CC number from an over-the-counter swipe and place an on-line order. All that info had to be captured at the same time. So, it either had to be comprimised on my computer (possible, but no trace of any spyware, spamware, or viruses can be found), or somewhere on CRPA's end. If nobody else reports any problems with their email/credit cards after a CPRA transaction, then I'd assume that somehow it happened on my end.

Jack,

I can't say about your email address hi-jack, but as I recall from your original posts, those were two separate events, though they could be linked.

As for your billing address, who needs it? You don't need a billing address to place an order online. If the system is set up to reject a non-match addresses then the order will not go through, but if the online vendor allows non-matched addresses, it will go through online. They also don't need your name either. Any name will do. There is no name match done when credit cards are processed online.

In essence, some online vendors only require a CC number and expiration date. If they have those two pieces, a lot of places will accept an order.

RW

ke6guj
05-17-2009, 3:34 PM
ok, I'll try to completely lay out the time line.

On Sunday 5/10, I received an email from buydracaiproducts showing I placed an order with them. It had my name and billing/shipping address correct. The email addess used for that order was 6guj.crpa@xxxxxxxxxxxxx.com, while the email address I used for my CRPA membership was ke6guj.crpa@xxxxxxxxxxxxx.com. Notice the similarities in the email addresses that I doubt someone could make up

I then posted this thread in an attempt to see if anyone else had issues with spam from a crpa-used email address. I did not know about any CC fraud at that point.

Then on Monday, I got a call from the CC inquiring about possible fraud on my CC. They read me off the charges, which included $1 charges to itunes and paypal (to test the card), airline tickets, and a charge to buydracaiproducts. That is when I figured out that the "spam" from buydracai that had my crpa address and the CC fraud was related.

It has to be related to my purchase of a CRPA membership. There is no way someone could randomly use that email address along with my address and CC info. Somewhere along the line of that transaction, someone had to be snooping, possibly in my computer, or somewhere on your end, to be able to put all that info together.

If you don't think the problem was on your end, no problem, my CC comany is taking care of the fraud, so it won't directly harm me anymore than the hassle.

rweller
05-18-2009, 7:30 PM
ok, I'll try to completely lay out the time line.

On Sunday 5/10, I received an email from buydracaiproducts showing I placed an order with them. It had my name and billing/shipping address correct. The email addess used for that order was 6guj.crpa@xxxxxxxxxxxxx.com, while the email address I used for my CRPA membership was ke6guj.crpa@xxxxxxxxxxxxx.com. Notice the similarities in the email addresses that I doubt someone could make up

I then posted this thread in an attempt to see if anyone else had issues with spam from a crpa-used email address. I did not know about any CC fraud at that point.

Then on Monday, I got a call from the CC inquiring about possible fraud on my CC. They read me off the charges, which included $1 charges to itunes and paypal (to test the card), airline tickets, and a charge to buydracaiproducts. That is when I figured out that the "spam" from buydracai that had my crpa address and the CC fraud was related.

It has to be related to my purchase of a CRPA membership. There is no way someone could randomly use that email address along with my address and CC info. Somewhere along the line of that transaction, someone had to be snooping, possibly in my computer, or somewhere on your end, to be able to put all that info together.

If you don't think the problem was on your end, no problem, my CC comany is taking care of the fraud, so it won't directly harm me anymore than the hassle.

Jack,

I understand your concern. I will check, but I just don't know how it could have happened at CRPA's end. The system they use for online orders is housed, URL and all, at a commercial site that I have looked into for their security. It really looks like someone intercepted the information somewhere.

I'll look into it on our end and see if I can see anything that might be a problem.

Ralph

Ground Loop
05-18-2009, 10:20 PM
Like KE6GUJ, I use a different email address for *every* contact. Easy when you run your own domains. :)

I have busted so many web stores and agencies, it's not funny.

For a while, Ameritrade (a stock broker!) was 'leaking' my email address. They denied it vehemently, of course. And again, and again.. after the fourth time, finally using a random jumble of letters for my private email address and getting spam on it, I refused to accept that it was a coincidence. Months later, they admitted they had a rogue employee selling lists..

I run my own mail server, so unless there's a man-in-the-middle or their end is compromised, I don't see a lot of reasonable explanations.

obeygiant
05-22-2009, 9:22 PM
Jack,

I understand your concern. I will check, but I just don't know how it could have happened at CRPA's end. The system they use for online orders is housed, URL and all, at a commercial site that I have looked into for their security. It really looks like someone intercepted the information somewhere.

I'll look into it on our end and see if I can see anything that might be a problem.

Ralph

If your credit card processor happens to go through Heartland Payment Systems, then that is most likely the culprit.
Information Week Article (http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News)
Original Press Release (http://www.2008breach.com/Information20090120.asp)
Heartland's response (http://www.2008breach.com/)

chrisdesoup
08-05-2009, 9:26 AM
This is odd!

I sign up with my C/C and the same day the $22 charge for the CRPA posts, 6 other visa charges post (not my charges) 5 for xboxlive and 1 from a gas station in North Dakota... CRPA is only the 3rd charge I have made with this visa after 1 charge with paypal (last week) and a 6 pack and tortilla chips at safeway (last month).

The fraudulent charges all posted 8/4 along with the CRPA

My bank was great about cxl'ing the cards and giving me my money back (it is a visa debit) but somebody somewhere has a leak... might be time to go back to writing checks and sending things snail mail or just paying with cash.

sorensen440
08-05-2009, 9:30 AM
I have not yet gotten any unsolicited emails from the account I used to sign up for the crpa

n2k
08-05-2009, 9:30 AM
You weren't the only one......

Beelzy
08-05-2009, 10:59 AM
CRPA does not sell information to spammers.
Ralph
CRPA Board Member


No, but I'll bet a pile of cash that they sell the info to CONSTITUENTS. ;)

b.faust
08-05-2009, 9:52 PM
My bank called a few weeks ago and said my card was having some screwy activity and locked it down.

It was right after the CRPA donation as well. I wasn't sure if it was CRPA's end, but sounds like it was.

I had two purchases for $4 and $5 before the bank called BS on it and shut it down.

The weird part, I have two (unopened) packages here, one is something called "Acaiburn" and the other package is from china, but also sounds like pills or the like when I shake it.

So...sounds like CRPA is compromised eh?

Edit:
It was on the 25th of last month my bank called, and I sent hoffmang a quick message about it:

Hi Gene,

I don't want this to come off as alarmist or accusatory, I just wanted to let you know what happened.

I got a call this morning from my bank (bofa) and they had flagged my credit card for some fraudulent charges. Not to much got through, roughly around $11. They were probably testing to see if it worked.

Anyway, I bring this to your attention, because the last charge on the card from earlier this month was a 3 year membership in CRPA.
I just wanted to let you know in case you have a problem on your end. For all I know it could be a far older card, or other information stolen elsewhere, but just in case there is an issue on your end I just wanted to give a heads up (in private so as not to start rumors on the board.)

Again, this may not have anything to do with the CRPA website, but I just wanted to bring it to your attention just in case.

bomb_on_bus
08-06-2009, 12:08 PM
My bank called a few weeks ago and said my card was having some screwy activity and locked it down.

It was right after the CRPA donation as well. I wasn't sure if it was CRPA's end, but sounds like it was.

I had two purchases for $4 and $5 before the bank called BS on it and shut it down.

The weird part, I have two (unopened) packages here, one is something called "Acaiburn" and the other package is from china, but also sounds like pills or the like when I shake it.

So...sounds like CRPA is compromised eh?

Edit:
It was on the 25th of last month my bank called, and I sent hoffmang a quick message about it:

the acaiburn is a weight loss substitute! looks like a thief is trying to loose weight on your behalf.

DiscoBayJoe
08-06-2009, 12:20 PM
Wow, sheer laziness was the only thing that prevented me from joining the CRPA a few weeks ago (I printed out the petitions but didn't have my credit card handy when filling out the online app and didn't want to go downstairs for my wallet!).

This happened to me a couple of years ago with an online purchase. It turns out the database the retailer was using had been compromised and someone was reading the full information from every purchase (Name/email/address/card/3-digit code/everything). Luckily they only got $75. There was a $50 'deductible' and I had to send my claim in notarized ($10) so at that point I figured my time was worth more than the $15 I’d get back net.

Good Catch on the email. with the scenario you listed above, specifically with the .cpra@ there is absolutely no doubt this transaction was where your compromise occurred. It could have come from your machine with a keylogger or from the website. Based on the feedback from multiple occurrences, it would be statistically accurate to conclude the website is the compromised asset.

You are going to have to cancel that card. It's a little bit of a PITA if you have any recurring items on it (you'll have to update each of those vendors), but its well worth getting that number inactive.
Good Luck!

stormy_clothing
08-06-2009, 2:20 PM
I think you guys all missed the references to the card processors being the source, heartland systems had a breach earlier this year that compromised over 100 million transactions and could have left the door open for more attacks easily.

For those of you who missed it the Black Hat conference was last week and discussed this and numerous other encryption and data loss issues.

To the OP I think it would have been in the public interest to ask a question rather than state what you thought was fact.

The reality is there is a world full of people who operate on a gain and loss society where someone has to lose for someone to win in the case of online security this is no different so be aware.

Mstrty
08-06-2009, 10:21 PM
They better not be selling my info. I was told that would never happen.