Category: Announcements

Last week we reported on a potential spam issue. Several customers sent us additional information in response to this post, and we have come to the conclusion that there was not any form of security breach with our account control center based on the following:

• None of the accounts we maintain received a copy of the spam. If the email addresses had come directly from us then these accounts would have been included, but they were not.
• One customer received a copy of the spam to an old email address that hasn’t been in our database for over two years; it could not have been obtained from us since we don’t keep a history of email changes.
• All of the addresses that received a copy of the spam were sent to our merchant account. We immediately notified them and altered our system to send a generic email address under our domain instead of the customer’s email.
• There is no indication in the logs or netflow records of access from outside of our network to the systems that have access to this data. Furthermore, the master database server is not internet accessible, and the admin interface to look up an account first requires an individual account name or a domain.

For those that may be concerned about their financial information, we have no reason to believe this was anything more than some kind of email scrape at the processor side. The processor does not store credit card numbers.

Again, we apologize for this issue. Security and privacy with our services are extremely important to us. We do, in fact, use our own services (take a look at the MX records for our domain) right along with our customers, including managing our domains with the same account control center.

This morning we received a disturbing report of a potential issue: a customer with an email address unique to our service received a spam message at that address. Throughout the day we subsequently received two more identical reports leading us to believe there is a potential issue. We are extremely disappointed that information associated with Roller Network may have been leaked in any manner, whether it’s our fault or not, tarnishing our otherwise flawless record up to this point.

The only common thread that these reports have is that they have submitted a payment via our merchant account, which is the only time an email address in our database was associated to something outside of our account control center. As a precaution we are no longer submitting email addresses with transactions of any type; we have changed our side to send a generic email address under our domain. It is unique (just created today) in case we should see any activity at it. While we have notified our card processor of a potential problem, we have not been able to confirm it with them at this time.

If you have used a unique email address with our services, please report spam to us immediately. Specifically, we are interested in accounts that used different billing and contact addresses. If the billing email address received this spam while the contact address did not, then we can narrow our investigation. Please send them to our support address.

Spam Details

The type of spam that is being propagated to the unique addresses is specific and virtually identical, but uses some phrasing variations to evade content filters. A sample of one of the reported spams is as follows:

Hey.
I am contacting you regarding your adult profile.
I find your message on adult site nice.
I am nice looking female. I am moving to your place in few weeks.
and searching for a male to show me the place.
We could see if we have the chemistry between us.
I am sending you my snap.
I am coming from Russia.
I'm outty

Another variation might be:

Wassup?
I am contacting you regarding your adult profile.
I find your message on adult site interesting.
I am pretty looking lady. I am coming to your place in few weeks.
and looking for a guy to show me around.
This way we could discover each other.
I am sending you my photo.
I am coming from Russia.
See ya

In all cases the spam has been sourced from throwaway Hotmail addresses and includes an image attachment. We have verified that the test accounts we maintain – at the time of this writing – have not logged any attempts with hotmail addresses or spam of this nature.

Our Policy

Roller Network as does not (and will never) sell or distribute email addresses from our records; we do not employ any marketing or sales staff. The database that holds account information is not directly accessible over the internet, and operates within a extremely limited scope of access from systems that do. Most notably it is only accessible via the account control center, and never as a whole. All database queries consist of the account’s unique ID and use prepare/execute with bind values. Also, the forums and this newspipe are explicitly independent for reasons such as this. However, we are checking the account control center as a precaution.

Our database also contains test accounts. Thus far we have not seen any matching activity on the email addresses associated with those accounts. (These accounts have never been used with live payments.)