Maze Ransomware Operators Leaked 2GB of Financial Data from Bank of Costa Rica (BCR) – Disposable mail news

Bank of Costa Rica (BCR) has been receiving threats from the threat actors behind Maze ransomware who have stolen credit card details from the bank, the ransomware gang started publishing the encrypted financial details this week.

The Banco de Costa Rica is one of the strongest state-owned commercial banks operated in Costa Rica, starting from humble origins of mainly being a private commercial bank, it expanded to become a currency issuer and one of the most renowned baking firms in Central America contributing largely in the financial development of the nation.

The hacker group behind the data leak have demanded a ransom from Banco de Costa Rica at various occasions, however, to their dismay they observed a lack of seriousness in the way the bank dealt with these previous leaks and it served as a primary reason that motivated the latest data leak, according to an interview with Maze ransomware operators.

As per the claims made by the attackers, Banco de Costa Rica’s network remained insecure till February 2020; it was in August 2019 when they first compromised the bank’s network and the second attempt was made in the month of February 2020 to see how the security has been improvised – if at all so.

The 2GB of data published by the Maze ransomware attackers on their leak site contains the details of at least 50 Mastercards and Visa credit cards or debit cards, a few being listed more than once.

As per the statements given by Brett Callow, a threat analyst with Emsisoft to ISMG, “Like other groups, Maze now weaponizes the data it steals,”

“The information is no longer simply published online; it’s used to harm companies’ reputations and attack their business partners and customers.”

“The Maze group is a for-profit criminal enterprise who are out to make a buck,” Callow says. “The credit card information has been posted for one of two reasons: Either to pressure BCR into paying and/or to demonstrate the consequences of non-compliance to their future victims,” Callow further told.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Crooks threaten to leak customer data stolen from e‑commerce sites – 10 minute mail

A hack-and-extort campaign takes aim at poorly secured databases replete with customer information that can be exploited for further attacks

A number of e-commerce websites from multiple continents have had their customer databases stolen as an unknown seller is offering at least 1.62 million rows of personal records for sale on a public website. The online stores – based in Germany, the United States, Brazil, Italy, India, Spain, and Belarus – have also received ransom notes, with the cybercriminals threatening to release the data if the retailers don’t pay up within 10 days.

According to BleepingComputer – which broke the story and listed some of the hacked merchants – the loot may actually be far larger than what has been put up for sale. The siphoned information varies depending on the ransacked retailer and includes email addresses, hashed passwords, postal addresses, gender and dates of birth.

Cybercriminals can use this Personally Identifiable Information (PII) for all manner of nefarious activities, including identity theft or targeted phishing attacks. The least you as a customer can do is to change your password on the site(s) and keep an eye out for suspicious emails.

It remains unclear who the thieves are, but apparently they targeted unsecured or ill-secured servers that can be found on the public web. They copied the stores’ SQL databases and now demand a ransom of 0.06 bitcoin (some US$537 at today’s rate) within 10 days on pain of publishing or using the data as they see fit.

The attackers also offer unspecified proof, which one might assume is a sample of the data. Some of the shops may have taken them up on their word, since the hackers’ BTC wallets have recently recorded transactions amounting to 5.8 bitcoin (approximately US$52,000).

Speaking of which, paying the ransom to a cybercriminal may prove to be a leap of faith, since you have no way of knowing if they won’t sell your data onwards even if they return it. Ransomware victims may face a similar conundrum, as discussed in this article.

BleepingComputer estimates that around 31 stolen databases have been put up for sale. Based on the number of abuse reports filed against the hackers’ bitcoin addresses, the site believes it to be just a fraction of the overall number. The most recent database is from March and each listing contains a sample of the data, so that potential buyers can check the wares.

Given the wealth of personal data that they may store on their customers, e-commerce sites pose a juicy target for bad actors. Hack-and-extort campaigns, meanwhile, are by no means a novel approach and high-profile incidents have affected, for example, well-known names in the entertainment industry, including HBO in 2017. Just days ago, an entertainment law firm also fell victim to a similar attack.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Russian experts assessed the level of protection of corporate data from hacker attacks – Disposable mail news

Even a low-skilled hacker can hack the internal network of global companies. An experienced attacker will not need more than half an hour to penetrate the local network. Such conclusions were made by experts from Positive Technologies in their research.

“It took an average of four days to penetrate the local network, and at least 30 minutes. In most cases, the complexity of the attack was estimated as low, that is, a low-skilled hacker who possesses only basic skills could also carry it out,” said experts.

Positive Technologies experts analyzed information dated 2019 on the protection of corporate information systems of 28 companies from external intruders and pentest (the penetration test). As part of external pentests, specialists managed to penetrate the local networks of 93% of organizations. In some cases, there were several ways to overcome network protection.

According to experts, every sixth company showed signs of hacker attacks, malicious links on official sites or valid accounts in public leak databases. Based on this, the researchers concluded that the company’s IT infrastructure could be controlled by hackers.

Specialists advise companies for protection, first, to follow the General principles of information security: regularly check their information resources available for external connection, as well as develop strict rules for corporate password policy and monitor their implementation. In addition, they recommend regularly updating the security settings for operating systems and installing the latest versions of software products.

Recall that, according to Kaspersky Lab, in April, the number of attacks on the infrastructure of Russian organizations whose employees work remotely exceeded 18 million, which is five times more than in February. Positive Technologies found that up to 48% of the passwords of employees of organizations is made up of a combination of a word indicating the time of the year or month and four digits indicating the year.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How encryption can help protect your sensitive data – 10 minute mail

Here’s how encryption can help keep your data safe from prying eyes – even if your device is stolen or your cloud account is hacked

You probably store all kinds of sensitive information on your personal computer – or your smartphone, for that matter. For good measure, you may even store your data in the cloud. And like the responsible netizen that you are, you’ve probably secured access to your devices with a passphrase, a biometric lock or even a combination of both. That’s all well and good, but what if you lose your device or it is stolen? That’s where encryption comes in, adding an extra safeguard.

To be sure, encryption isn’t just limited to storing your data; you can also encrypt your communications and your web traffic, as well as your passwords. All of these can be considered best practices to secure your private data, and we’ll walk you through some of the choices you have.

Disk encryption

Most computers still have removable hard disks that aren’t soldered onto the motherboard; alternatively, as extra storage, people use external disks. That’s why having full-disk encryption is a great extra security layer; if you misplace your disk or it is stolen, then no one can access any of the information on it. The disk is fully encrypted, including all your data, your software and the operating system you’re running. Unless you can enter the key at boot-up, your whole computer essentially becomes quite an expensive paperweight. There are several commercial options with advanced features, open source projects and built-in options in most major operating systems.

When it comes to smartphones and tablets, the equivalent functionality to look for is device encryption, which is built into, and commonly enabled by default, on contemporary devices. There are many easily found online guides that explain checking for and, if necessary, enabling device encryption for Android or iOS devices.

Cloud encryption

Most of us use cloud storage for its ease of access – you can do it from anywhere at any time so long as you have an internet connection. Unfortunately, that accessibility introduces its own set of challenges. Over the years, cloud storage services have experienced security breaches, either due to human error or targeted attack by ne’er-do-wells. Therefore, encrypting your files before uploading them to the cloud should be a no-brainer.

Even if there is a breach or the cloud provider’s system is compromised, the data bad actors may obtain will be useless to them without the decryption key. You can choose from a variety of products based on your needs and the offered encryption features. Look at those that offer AES encryption at the very least. There are a number of free and commercial options, all with various limitations and a range of price options among the paid-for products and services.

Encrypt your web traffic

One of the easiest ways you start with is by setting up a Virtual Private Network (VPN), which works as an encrypted tunnel for internet traffic. Let’s say you’re working from a coffee shop and you are going to share some sensitive data with a client, a VPN will allow you to share that data over an encrypted network without anyone intercepting it. Another example is that you can securely access data stored on your home network even if you are physically on the other side of the globe. There are multiple types of VPNs to choose from and, if you’re not sure which one will suit your needs the best, you can check out our article on types of VPNs.

RELATED READING: Encryption 101: What is it? When should I use it?

Another way to protect your privacy involves using an anonymity network, such as Tor. The Tor network directs your traffic through a volunteer overlay network of relays and wraps it in multiple layers of encryption. The idea is, of course, to protect your identity and your browsing habits from anyone snooping around.

Another thing you should also always watch out for is that the website you’re accessing uses the HTTPS protocol. The S stands for secure and means that all the communication taking place between the visitor (you) and the webserver is encrypted. Most of the world’s top websites now use HTTPS by default.

Encrypt your messages

When it comes to messaging apps, you have a variety to choose from and while the most popular do offer end-to-end encryption, not all of them have it turned on by default. For example, to turn on end-to-end encryption in Facebook Messenger you have to start a secret conversation by clicking on the profile picture of the user and choosing “Go to secret conversation”; only after that do your messages with that specific recipient become encrypted. WhatsApp, for one, has the option turned on by default; so does Telegram, but it also provides an extra layer of security with its Secret Chat feature, which allows you to set self-destruct on the messages and files you send.

Signal remains one of the most highly rated options by cryptographers, due to its open-source code allowing extensive examination and easy auditing by area specialists. You can also encrypt your email communications as well, with the sender needing your public key to encrypt a message, so that only you can decrypt and read it using your private key, and you needing their public key so they can decrypt encrypted messages you send to them. Again, there are several options, with the most common being PGP or GPG, and S/MIME. There are several plug-ins for, or built-in options in, popular email apps. For example, Microsoft provides a handy guide on how to enable S/MIME in its Outlook email client.

Also worth considering is using a secure email platform, such as ProtonMail and others, that provides end-to-end email encryption. Some are “closed shop” in that you can only send encrypted emails to others using the service and “ordinary” emails to those with other providers, while some provide mechanisms to exchange encrypted messages regardless of the mail service of your interlocutors.

Encrypt your passwords

Password managers are a popular choice for people who don’t want to (or can’t) memorize all their passwords while refraining from recycling them. A password manager functions as a vault that stores all of your passwords: it is secured like a bank vault is, but in this case, it uses fiendish mathematics instead of steel-reinforced concrete.

Most of the cloud-based services keep a copy of your vault on their servers protected with heavy-duty encryption, and, for an extra layer of security, allow their users to use multi-factor authentication (MFA). It is a much more secure way to store your passwords than on sticky notes or docs in your computer or even using a one-password-fits-all solution.

Final thoughts

Although at first glance you may think that the number of things you can do to secure your digital existence is a bit overwhelming, but you should never underestimate the value of good cybersecurity measures securing your digital existence. As the old saying goes, an ounce of prevention is worth a pound of cure, and in the digital world that goes double. A responsible approach to securing your data today can save you from a huge migraine in the future.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Wishbone Breach: Hacker Leaks Personal Data of 40 Million Users – Disposable mail news

Personal data of 40 million users registered on Wishbone has been published online by hackers, it included user details like usernames, contact numbers, email addresses, Facebook and Twitter access tokens, DOBs, location, gender, and MD5 hashed passwords. Researchers have confirmed the authenticity of the data that has found to be accurate – belonging to the users who have used the app. It could be used by attackers to carry out various malicious activities such as phishing campaigns, identify thefts, credential stuffing attacks, and account takeovers.

Wishbone is a mobile survey app that provides users a social platform to compare social content, the app hasn’t disclosed its total user count in recent times, Wishbone has been enlisted as one of top 50 most popular social networking apps in iOS App Store for years now, also making it to the top 10 in its prime.

This breach came as the second-largest security incident in the last three years for the app, earlier in 2017, hackers breached around 2.2 million email addresses and 287,000 phone numbers. It mainly contained kids’ personal details. However, the recent breach mainly consists of numbers belonging to young women.

According to the reports, the database was circulating secretly since March, it has been put up for sale on dark web forums for thousands of dollars. Later, ‘ShinyHunters’, a dark web trader who allegedly leaked the data, stated that they will be publishing the data for free after individuals began reselling it.

While commenting on the matter, senior vice president of data security specialists comforte AG, Mark Bower said, “It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security risks or using older code libraries using MD5. Hashed MD5 passwords aren’t difficult to brute force. The bigger issue here is the personal data though – so now attackers have a bunch more data for social engineering.”

Security experts have recommended Wishbone users to update or change their passwords and stay wary of any suspicious activity in their account.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

FBI Serves Apple Warrant to Gain US Senator’s iCloud Data

Apple has been served a warrant by the FBI to obtain information on the iCloud account of U.S. Senator Richard Burr, the chairman of the Senate Intelligence Committee, who is being investigated for controversial stock trades linked to the coronavirus pandemic.

According to the Los Angeles Times, FBI agents served Apple the warrant “in recent days” to gain access to the ‌iCloud‌ data. The information gathered from the warrant’s execution was then used as evidence to serve another warrant to obtain the Republican senator’s iPhone from his home.

Federal agents seized a cellphone belonging to a prominent Republican senator on Wednesday night as part of the Justice Department’s investigation into controversial stock trades he made as the novel coronavirus first struck the U.S., a law enforcement official said. Sen. Richard Burr of North Carolina, the chairman of the Senate Intelligence Committee, turned over his phone to agents after they served a search warrant on the lawmaker at his residence in the Washington area, the official said, speaking on condition of anonymity to discuss a law enforcement action.

According to the report, the Senator is being investigated for selling a significant percentage of his stock portfolio in 33 different transactions on February 13, just as his committee was receiving daily COVID-19 briefings and a week before the stock market sharply declined.

The value of the trades is believed to be between $628,000 and $1.72 million. Much of that was said to have been invested in businesses that in subsequent weeks were hit hard by the plunging market, the implication being that the trades were made on the basis of information Burr received about the pandemic in the daily briefings.

Apple can decrypt an ‌iCloud‌ backup and provide the information to authorities when ordered to do so via a warrant, because the company views privacy and security issues differently between physical devices that can be lost and ‌iCloud‌. With ‌iCloud‌, it needs to be accessible by Apple so that it can restore the data for the user.

‌iCloud‌ backups contain iMessages and texts, content purchase history, photos and videos, device settings, app data, voicemail password, and health data. Backups don’t include information that’s easily downloadable, such as emails from servers or apps, and while ‌iCloud‌ backup does encompass ‌iCloud‌ keychain, Wi-Fi passwords, and passwords for third-party services, that information is encrypted in a way that makes it inaccessible to Apple.

More than two years ago, Apple reportedly informed the FBI that it planned to roll out end-to-end encryption for ‌iCloud‌ backups, but ultimately dropped the plan at some point after the FBI objected, although it remains unclear if the federal agency was a factor in the decision.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Data of 9 million customers of the Russian courier service CDEK leaked – Disposable mail news

Data belonging to nine million customers of the CDEC Express transportation service was put up for sale on the Web for 70 thousand rubles ($950). This is the largest leak of personal data in Russian delivery services

Telegram channel In4security noticed that the database contains information about the delivery and location of goods and information about buyers, including Tax Identification Numbers. The seller of the database sent the author of the Telegram channel screenshots dated May 8, 2020. This indicates that the databases are fresh.

The CDEC claims that there was no data leak from the company. As the representative of the service stressed, personal data is collected by many companies, including state aggregators, the leak could have occurred on any of these resources.

Andrey Arsentiev, Head of Analytics and Special Projects at InfoWatch Group of Companies, said that this is the largest leak of personal data from Russian delivery services. He notes that the information of CDEC users is not leaked for the first time: previously, customers of the delivery service complained that personal data of other people is visible on the company’s website due to vulnerabilities.

Head of Security Department of SearchInform Alex Drozd warned that after leaks there are always calls from scammers. They call the victim and introduce themselves as company employees and try to find out information about billing information.

The interest of fraudsters in the data of courier services may be associated with an increase in demand for their services during the coronavirus pandemic and self-isolation.
The company also recalled that recently, cases of detection of fraudulent sites that act on behalf of CDEC have become more frequent.

It should be noted that in recent weeks, there has been an increase in phishing sites: online cinemas, online stores, training courses, legal advice, government portals.  Earlier, Disposable mail news reported that Russia has bypassed the USA in hosting for phishing resources.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Utah Rejects Apple’s Exposure Notification API for Less Private Approach That Collects GPS Data

Utah in April released “Healthy Together,” a contact tracing app aimed at limiting the spread of the coronavirus by letting people know if they’ve come in contact with someone who is later diagnosed with the virus.


Utah’s Healthy Together app does not use Apple and Google’s Exposure Notification API, instead opting for a less private GPS and Bluetooth-based solution that’s currently available in a beta capacity. Healthy Together was created by social media startup Twenty, and it does not take advantage of the decentralized, anonymized approach that Apple and Google are implementing, according to a report from CNBC.

The aim of the Healthy Together app is to help the 1,200 Utah Department of Health workers who are doing in-person contact tracing through phone calls. Utah’s health department has access to the name, telephone number, and location data of people who test positive for COVID-19 and opt to share their data.

The app uses Bluetooth and GPS to determine when smartphone users come into contact with one another, and if someone tests positive, they can share their location history and contact history over the past 14 days with a contact tracer. Twenty believes that this can cut hour-long phone calls used for contact tracing down to 16 minutes. From Twenty chief strategy officer Jared Allgood:

“Jeff and Sarah are two individuals in this example who don’t know each other but they both have the app on their phones. And so the both phones are emitting Bluetooth and GPS signals. Through that data we can identify whether or not two people have spent some time together.”

“If Public Health is calling somebody who has the application on their phone, and they’ve granted permission to see this minimum set of data to do the contact tracing effort, now, instead of spending an hour, you know, interviewing Jeff and trying to fill in the gaps in his memory, they together can step through his list of location history.”

Apple and Google’s privacy-focused solution does not allow personal information to be provided to public health departments, and it does not involve location-based data collection, unlike Utah’s Healthy Together app. Twenty’s founders claim that the Healthy Together app is opt-in and users can choose to limit permissions like GPS or Bluetooth if they don’t want their location tracked, but it’s not clear how this impacts the effectiveness of the contact tracing design as implemented in Utah.


According to the Utah state website, Utah opted out of Google and Apple’s solution because Bluetooth alone “gives a less accurate picture” than Bluetooth and GPS location data.

The goal of Healthy Together is to allow public health officials to understand how the disease spreads through the vector of people and places, and both location and bluetooth data are needed to accomplish that.

Bluetooth helps us understand person-to-person transmission, while location/GPS data helps us understand transmission zones — having both of these important data points provides a more effective picture of how COVID-19 spreads. This data helps policy makers make the best possible decisions about how and where we begin to relax and modify restrictions as our community and economy begin to reactivate.

One of the benefits of the Apple/Google API is background Bluetooth tracking that does not require an app to implement battery draining features or require users to keep it open for smartphone to smartphone communication to be effective. Utah will not have the benefit of the API by opting for an outside solution, which could also impact the effectiveness of the app.

45,000 people have signed up for Utah’s contact tracing app, which is about two percent of the state’s population. Some estimates have indicated that to be effective, contact tracing apps need to be downloaded by 60 percent of a population.

Apple and Google have said that they’re aiming to release the ‌Exposure Notification‌ API in mid-May, so we could see it as early as this week after the release of iOS 13.5. Following the release of the update, the first apps that use the API will be able to be released.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Store’s Temperature Checks May Violate EU Privacy Rules, Says German Data Protection Office

Apple has started reopening its retail stores worldwide, and is taking multiple measures to make sure customers and staff continue to stay safe during the global health crisis. One of these measures includes temperature checks for customers before they’re allowed to enter one of Apple’s stores using a non-contact forehead thermometer.


A data protection agency in the German state of Hesse is concerned that Apple’s temperature checks on customers violate European Union privacy rules and has launched a probe, according to Bloomberg Law.

The Hessian data protection agency is working with other German data protection authorities, according to a spokesperson for the Hessian Data Protection Commissioner. There are no results yet from the probe, which is aiming to determine if temperature checks infringe on data protection rules.

Apple began reopening its retail stores in Germany on May 11 with a focus on Genius Bar service and support. Apple is requiring temperature checks, and limiting the number of customers who can be in the store at once to ensure appropriate social distancing.

The 15 stores in Germany are also operating on reduced hours for the time being, with Apple implementing additional measures like ensuring employee/customer interactions take place across tables and adding a relay system to deliver products to prevent employees from moving about the store.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Professional data leakage: How did that security vendor get my personal data? – 10 minute mail

…and why are they selling it to other security vendors and product testers?

If you were hoping to find a sensational story outing one of our competitors, I am going to disappoint you right away. This is not that, but it is something, something that can happen to all of us!

Spam is something that everyone encounters.

Spammers are constantly looking for new ways to get their garbage to you, bypassing your spam filters.

So far, this is no different from any other cat-and-mouse game in cybersecurity. Although there are some extremely good antispam solutions available, even the best are bypassed from time to time, and will need to adapt their rule sets to guard against the latest spam techniques.

As with antimalware products, antispam products are included in comparative tests conducted by several independent and objective testers. Testing is a lucrative business for the testing organizations, and expensive for the security vendors being tested, so it should come as no surprise that these vendors want to achieve the best results.

That by itself creates a new marketing model: commercial vendors trying to sell feeds of spam samples to both testers and security vendors. One could argue that antispam vendors willing to buy the feeds (or freely consuming a feed if the supplier wants, for commercial or other reasons, to have its feed look important) will have an unfair advantage with those testing their products, but that is not the scope of this blogpost.

Recently ESET was confronted with a tester that started to consume a new commercial spam feed to complement its existing antispam test bed.

When I and other ESET researchers started to analyze that feed, we were astonished. Not only because the samples in the commercial spam feed were not classified (who decides what is ham or spam? Can you read all languages to determine that?), but also by the high noise ratio – there were many legitimate messages – that is, they were “ham”, not spam! On top of that, when analyzing those ham messages, we found many with personal (and personally identifiable) as well as confidential information: (personal) pictures, copies of driver licenses, credit card information, and so forth. How did these legitimate emails end up in a “spam” feed?

The key here is Parked Domains and Sinkholed Domains. At a basic level, the latter are domains typically under the control of anti-DDoS services, law enforcement or researchers so their operators can alleviate or monitor nefarious or malicious activity, usually by directing (some) network traffic for these domains into the bit bucket or to systems under their control. Parked Domains are domains that people register, usually for far-from-legitimate purposes, with domain names that give the user the idea that they are going to a supposedly legitimate site, e.g. my-bank-new-card[.]com. Or the domains look a lot like legitimate domains but are a typo away from them, often referenced as Typosquatted Domains, as e.g. oulook[.]com instead of outlook[.]com. Sometimes, as in fraud cases, this is done so, for example, phishing spam with apparently legitimate URLs can be sent; in other situations, to collect emails/data from people who make a typo in an email address. Such scams are usually very short-lived, so the criminals behind them register these domains for just 12 months (the usual minimum) and do not renew their registration. Shortly after registration lapses, anyone can then (re)register such a domain name, install an email server for it, and start collecting all email sent to the domain, both spam and legitimate email messages intended for the correct, original domain.

The vendor of the aforementioned spam feed collects all emails sent to Parked and Sinkholed Domains and supplies the emails to security vendors and testers.

Of course, no one can prevent people from sending emails with private, confidential information to the wrong email address, such as one on a typosquatted domain, other than the senders themselves. To be honest, you cannot even really blame anyone for doing this, as they intended to send that information to the right address… and they probably thought it was sent correctly since they did not receive a bounce message!

However, the ethics of selling a spam feed that includes such messages “as spam” is dubious as those messages clearly are not all spam.

What is spam? A common definition is bulk, unsolicited email that is usually commercial in nature.  Bulk – say no more, these messages are not sent in bulk. Almost all are certainly ever sent only once and to only one address (well, maybe two addresses – the original and the correct ones once/if the sender realizes the mistake). Yes, it’s unsolicited in a sense, but that alone does not make it spam, and arguably anyone setting up mail servers on such domains to collect all possible received email is only doing so because they are soliciting for exactly such email – that is, they want to receive these messages, so they are not really unwanted or unsolicited.

Beside this technical issue of these messages simply not being spam, it creates an ethical and moral issue. The owners of these parked domains have surely not obtained the consent of the original senders to use or sell their email messages – certainly not those with the private, confidential information – for this purpose. Insofar as these feeds include any such messages sent by EU residents, providing such a feed with the absence of key elements of data processing “lawfulness, fairness and transparency” seems likely to be a violation of GDPR. We are also curious about the compliance with other principles relating to processing of personal data, such as purpose and storage limitation as well as confidentiality of data being included in privacy and data retention policies of this feed vendor.

When a tester uses such a feed as a part of its test bed, the problem is exacerbated.

For validation purposes, bona fide testers supply “misses” to the producers of the software they test, in order to confirm the misses. At that moment, antispam developers will receive (and thus store) the missed “spam” samples. Without proper legal grounds, any activity other than deletion and notification to the tester and feed vendor might lead to GDPR violation, regardless of the location of the storage or offices of the product developer.

Further, these “missed” samples may cause issues for a vendor’s antispam product. Machine learning (ML) algorithms are widely used in antispam products, and adding such legitimate messages to your “spam” set is likely to make any ML-based classifications of previously unseen email messages less accurate, thus putting customers of antispam products at greater risk. Storing this kind of data is actually not something we want. Upon making this discovery, ESET deleted from our spam database all samples sourced from this feed.

ESET, of course, contacted the tester, who quickly and correctly removed the feed from the then-current test, while investigating our findings. Later the tester informed us that the feed had been investigated, our findings confirmed, and that it had discarded this test-feed completely.

The provider of the commercial feed also has been contacted; at the time of publication no reply had been received.

All security advice aside, there is no remedy to prevent these kinds of data leakage other than common sense: verify the email address twice and then twice more before you send any sensitive data to it. Not just to be certain that you did not make a typo in it, but also to ensure that the email address is still in use by the organization to which you are sending the data. Tools such as 2FA, a password vault, and so on are all useless in this scenario because for all their ability to protect your identity, they cannot protect you from sending email to the wrong address.



Righard Zwienenberg


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.