Hacked Email Address Spam from Annette Bosworth for U.S. Senate?

I got a spammy email today from a Dr. Annette Bosworth for U.S. Senate. It was interesting, because the email arrived in a private email account that was created specifically for the purpose of tracking the use of that email address. The address was only used to create a user account on Adobe.com.

Since no one but Adobe.com (and the email forwarding/tracking service) had this email address, I haven’t been able to think of a way that Bosworth’s senate campaign could have gotten it except by somehow (indirectly) acquiring email addresses from the recent hacking of Adobe.com when the account information from over 150 million of their customers was stolen.

I checked whether that email address had been affected in the Adobe incident and the answer was yes, according to LastPass:

Adobe Hacked Email Address Checker
Adobe Hacked Email Address Checker

Here’s the email that I received — low-substance, political nonsense that seems kind of funny considering her enthusiasm for Che Guevara:

image1.png
Honestly, who acts like this?

This is my first run for political office. I am a doctor, not a career politician, but I just couldn’t sit on the sidelines and watch what is happening to our great nation any longer.

I have always stood up for what I believe in. The first time I stood up to a bully I was 7 years old.

Today, the biggest bully I see is the federal government. I grew up on a working farm in Plankinton, South Dakota. I am a doctor who works with the elderly and the poor. The clinic I own is a small business. In every area of work and life, there is just too much government interference.

Being a doctor, I understand how unfair and harmful Obamacare really is — and I have vowed to repeal every single word of it. I also pledge to cut taxes, defend the second amendment, and to protect the unborn.

Washington, D.C. insiders don’t want to see people like you and me change their way of doing business.

Change is possible, but it takes effort from all of us.

I am fighting for that change against an establishment insider with millions of dollars, much of it PAC money from special interest groups.

My opponent has so much PAC money, he can afford to be wasteful – and he is. Just this week, he produced a slick advertisement for TV that didn’t even feature voters from the state of South Dakota. And when he was caught, he didn’t even apologize — he just threw the advertisement away.

That’s not how I do things.

I am a fiscal conservative. I promise that if you donate now, your hard earned donation will be used in a responsible way to fight big government and wasteful spending. I need your help to get there. Will you join me?

Absentee ballots in South Dakota are mailed out this month and that’s when voting begins – will you chip in $5 or more today?

The donation you make today will help us get our message to voters.

Thanks,
Dr. Annette Bosworth
image2.png

To unsubscribe please click here

Dr. Annette Bosworth
2601 S. Minnesota Ave, Suite 105-129, Sioux Falls, SD, 57105

Paid for by Dr. Annette Bosworth for U.S. Senate

Contributions to Bosworth for US Senate are not tax deductible

Email not displaying correctly? View it in your browser

Powered by Hairyspire

I couldn’t find any software called Hairyspire and the links went to 2bits.co, which has the same logo as 2bits.com, a respectable Drupal development company in Canada. The campaign website doesn’t appear to be structured like a Drupal site, so I’m not sure what to make of that.

UPDATES: According to this comment, Hairyspire may be a pirated version of Interspire email software. According to someone at 2bits.com, 2bits.co is not related to 2bits.com even though it was using the 2bits.com logo yesterday. Here’s a screenshot from 2bits.co  when it appeared to be actively impersonating 2bits.com:

2bits.co logo
A screenshot from 2bits.co that was taken before the site went offline when it appeared to be actively impersonating 2bits.com.

So it appears that, not only did my email address probably come from the hacked Adobe.com list, but the email software might be pirated, and the sender appears to be trying to disguise itself as a different Internet company. (I have a lot of respect for the real 2bits.com company. They build great Drupal modules.)

I did find another blog post complaining about the spam with some other research about the origin of the emails:

The spam originates from two18.2bits.co (63.143.38.243) and spamvertises a site at marketer.2bits.co (63.143.38.226). Both these IPs are allocated to Limestone Networks in the US, but are suballocated to a customer called Joseph (Joey) Burzynski of ResistedNormalcy LLC and/or MarketKar.ma in Dallas. The email is digitally signed for the domain bosworthcampaign.com which has hidden WHOIS details.

ArgusLeader.com covered the Bosworth campaign’s attempts to raise money:

Of course, sending out as many letters as Bosworth has is expensive. From January through March, Bosworth spent $523,000 on direct mail and fundraising, while accumulating another $450,000 in fundraising and direct mail debt.

…”We’ve spent a little over $672,000 getting Annette Bosworth’s name out there and getting people to know who she is, and it’s working,” Patrick Davis said. “Her name ID is up, and her favorability is up.”

It appears that somewhere and somehow along the way, they might have acquired some email addresses from that leaked list of hacked Adobe.com accounts. Obviously, they aren’t the ones that hacked Adobe.com, but there is a possibility that in their quest to reach an audience, they weren’t careful enough about where they got their email lists.

If you received emails from the Annette Bosworth campaign, check to see if your email address came from the hacked Adobe.com list (or Gawker or another data breach incident), and then leave a comment below.

UPDATE: there is more information in the comments below.

Related posts:

10 thoughts on “Hacked Email Address Spam from Annette Bosworth for U.S. Senate?”

  1. I received the same email, although the address had not been in the Adobe breach. I checked on haveibeenpwned.com and it *was* in the Gawker breach, but the address is also on my website so it could have been scraped from there. I checked an address that I know *had* been in the Adobe breach, and it hadn’t received the spam.

    That having been said – if you use a unique address for each service and you get spam to it, then that really nails it as the source, although perhaps the address got re-published from the Adobe breach and scraped from elsewhere.

    Nonetheless, this is spam. I don’t even live in the US!

  2. My first guess is that they bought email lists from shady sources and then just bulk emailed everyone on the purchased lists in order to try to raise money for the campaign. Maybe they sent out bulk spam assuming that no one will complain.

    If anyone reading this works for an email provider like Gmail, Yahoo, or Hotmail, maybe they could run a query of email addresses that received this message against the Adobe and Gawker hacked address lists to see if there are any patterns.

    Someone from the campaign is welcome to comment and clarify what happened.

  3. A little more research:

    The webpage, marketkar.ma/about.html, has the following quote:

    “JCPenney’s web site is not built to work well with Search Engine Optimization programs. We see this as a big opportunity, and Joey has been instrumental in terms of developing ideas to address our limititations, resulting in recent triple-digit growth in this program.”

    It doesn’t say whether that was before or after the black hat stuff though.

    It looks like the company is in Miami, not Dallas. Maybe the servers are in Dallas?

  4. I just updated the blog post. It appears that 2bits.co, where the emails appears to come from, is not related to 2bits.com but was using their logo and a similar domain. And Hairyspire might be pirated software.

  5. Another update: I found a second copy of the email in the spam folder of a different email account that I haven’t used in many years. I searched for the email address online and it was in the Gawker list.

    Gawker’s database compromise brought with it over a million account details that were subsequently posted into a torrent for easy consumption.

    As interested parties downloaded the lists of usernames and passwords, people who had registered on a Gawker website found themselves at the mercy of people who now had their login credentials.

    After seeing the apparent impersonation of 2bits.com when sending out the emails, the whole thing is looking shadier.

  6. He was the “VP Organic Search Strategy / SEO at SearchDex” according to LinkedIn. SearchDex is a Dallas company, so maybe there is some kind of connection there.

  7. SearchDex appears to be located at 2602 McKinney Ave, Dallas, TX.

    MarketKar.ma appears to be located at 2811 McKinney Ave, Dallas, TX.

    Google Maps says that there is ~300 yards distance between them. They both seem to have listed JC Penny as a client.

Leave a Reply

Your email address will not be published. Required fields are marked *