Spam sparks Umart investigation

update Spammers appear to have compromised online computer parts retailer Umart, sending emails to its customer base and prompting the company to start an investigation.

Umart's store in Milton, Qld.
(Umart Milton image by j3thr0, CC BY-SA 2.0)

A number of users on web forum Whirlpool have reported receiving spam on email addresses that they created solely to register with the retailer. To limit spam to their main email account and track down which companies have shared their information, users who have their own domain can create emails in the form of anyusername@yourdomain.com, and have their mail forwarded, similar to having a PO Box to protect a home address.

The spam says that they're receiving the email because they subscribed to a mailing list on "one of the job portals". It offers a job that requires "no specific education or work experience".

Umart told ZDNet Australia that it was aware of the issue and had received several instances of the email from its customer base. It is currently conducting an investigation, although it considers its data to be protected.

"Our data is quite secure, but we'll see where these email [go]," Umart group manager Peter Zhong said.

However, Zhong didn't rule out the possibility of the information being stolen from within the company, stating that staff could have stolen email addresses a long time ago, and only now released them.

Zhong said that he had passed the spam emails to others that were more experienced than he was to determine how the spammers had found Umart's customers' email addresses, but he has not engaged a professional firm.

He confirmed that the company did have a mailing list with customer addresses on it, but said that it hadn't been used for a very long time, and that the company has since "deleted the mailing list program".

Subsequent to this article being published, a ZDNet Australia reader, who wished only to be identified by his first name, has discovered that he could access Umart's own network over an unsecured wireless network. Danny connected to the open network via his iPhone, and was able to see several machines on Umart's network, including what appeared to be one of the stock ordering computers for the company.

(Screenshot by Danny)

Zhong confirmed that the network was indeed Umart's, and that the devices in Danny's screenshot were computers and printers used to key in customer's orders, print orders and process orders in its warehouse. He said that from time to time, Umart's warranty department tests customers' wireless devices on their own network without using a password. He has since asked the department to set passwords for all wireless devices before they can be connected to the company's network.

Updated at 5.11pm, 2 November 2011: added information about Umart's wireless network.