Size of the Problem at Virgin Media
Number of self-reported cases: About 391
Number of self-reported cases for which email addresses specified: 167
Number of known Virgin Media email addresses with this problem not self-reported: 157
Number of known Virgin Media email addresses with this problem: 334
Total number of identified Virgin Media cases: About 540
Estimated number of Virgin Media cases: 6,500
Type of Email AddressVirgin Media provides email service under four different domains. Each has some cases of this spoofing. Tables 1 and 2 below show the distribution of cases by email domain as a percentage and number. Without knowing the number of email addresses in each domain, it is not possible to know the significance of this distribution. Does anyone have information about the relative number of addresses on each domain?
Table 1. Percentage of Cases by Email Domain.
31% : @blueyonder.co.uk
48% : @ntlworld.com
15% : @virginmedia.net
6% : @virgin.com
Table 2. Number of Cases By Email Domain.
105 : @blueyonder.co.uk
162 : @ntlworld.com
52 : @virginmedia.net
21 : @virgin.com
Age of Email AccountsOne of the consistent findings for these spoofing cases at Virgin Media is that the email accounts are not new. Many of those affected by this spoofing problem have owned their email account for more than 15 years. Table 3 below shows the age of affected Virgin Media email accounts.
Table 3. Age of Email Accounts
1: Four-and-a-half years old
4: Five years old
1: Six years old
7: Seven years old
4: Eight years old
5: Nine years old
10: Ten years old
12: More than ten years old
1: Eleven years old
11: Twelve years old
10: Thirteen years old
6: Fourteen years old
36: Fifteen years old
8: More than fifteen years old
12: Sixteen years old
1: Seventeen years old
10: Eighteen years old
1: Nineteen years old
18: Twenty years old
3: More than twenty years old
2: Twenty-one years old
0: Twenty-two years old
1: Twenty-three years old
1: Twenty-four years old
1: More than twenty-five years old.
Actions Taken to Report ProblemThe chronic nature of this problem and the damage done to the victim's personal and professional relationships as the spoofing continues at irregular intervals means that many of those affected seek information from their email provider about the cause and solution. Tables 4 and 5 below list the actions taken by a subset of affected Virgin Media account holders.
Table 4. Actions Taken by 68 Virgin Media account holders as a percentage.
72% : Called Virgin Media one or more times to report problem
35% : Filled in the Virgin Media Net Report form
26% : Wrote in to the Virgin Media Community forum
7% : Made contact with the Chief Executive's Office at Virgin Media.
Table 5. Actions Taken by 68 Virgin Media account holders by numbers.
49: Called Virgin Media one or more times to report problem
24: Filled in the Virgin Media Net Report form
18: Wrote in to the Virgin Media Community forum
5: Made contact with the Chief Executive's Office at Virgin Media.
How Long since Password ChangeMany email account holders with this problem had not changed their email account password for "years" before the spoofing began as shown in Table 6 below. Virgin Media has no password-expiration policy.
Table 6. Length of Time Since Email Password Changed Before Spoofing Began.
Email Addresses Found in Large HacksIt is unfortunately a common behaviour to reuse an email password on other websites. During the past few years, there have been a number of large data breaches in which email addresses and web-site passwords were stolen. The web page "have i been pwned" allows one to check an email addresses to see what information has been stolen. Checking the affected Virgin Media email addresses gives the results in Tables 8 and 9 below.
Table 8. Percentage of 172 Virgin Media Addresses Found in Hacks
41% : Not known to have been stolen
24% : Adobe
30% : Linked-In
5% : MoneyBooker
18% : MySpace
2% : Neopets
3% : Tumblr
Table 9. Number of 172 Virgin Media Addresses Found in Hacks
70 : Not known to have been stolen
41 : Adobe
51 : Linked-In
8 : MoneyBooker
32 : MySpace
3 : Neopets
6 : Tumblr.
Month when Spoofing BeganWhile the first reports of this epidemic of spoofed emails being sent to addresses stolen from Virgin Media accounts appear to date from August 2015 and correspond to the time when Virgin Media was in the process of moving email accounts from Google hosting to a Dovecot-based system with an Open-Xchange OX App Suite front-end, there have been new cases each month, long after the mailbox moves completed as shown in Table 10 below.
Table 10. Number of Self-Reported Cases By Month of Onset of Spoofing
1: August 2015
55: September 2015
31: October 2015
3: November 2015
9: December 2015
2: January 2016
6: February 2016
3: March 2016
5: April 2016
9: May 2016
4: June 2016
3: July 2016
1: August 2016.
Web Mail UseAs Tables 11 and 12 below show, a large portion of Virgin Media users with this spoofing problem do not use web mail. As a result, we can rule out a web-mail vulnerability as the method by which accounts have been accessed. The distribution of browser use is in line with current expected popularity of browsers, with Chrome and Firefox being more popular than Internet Explorer and Safari.
Table 11. Use of web mail and browsers as a percentage of 174 responses.
36%: Not using web mail
30%: Use web mail with Chrome
21%: Use web mail with Firefox
10%: Use web mail with Internet Explorer or Microsoft Edge
6%: Use web mail with Safari
0.6%: Use web mail with Pale Moon.
Table 12. Use of web mail and browser by numbers.
62: Not using web mail
52: Use web mail with Chrome
37: Use web mail with Firefox
17: Use web mail with Internet Explorer or Microsoft Edge
10: Use web mail with Safari
1: Use web mail with Pale Moon.