cancel
Showing results for 
Show  only  | would you rather see results for 
Did you mean: 
Need help?

"You may have downloaded a virus on one or more of your devices"

ANSWERED
Reply
Highlighted
Wizz Kid

Although it is a little old, here is TalkTalk's explaination of how HomeSafe Virus Alerts works:

https://community.talktalk.co.uk/t5/General-Technology-Tips-Tricks/Virus-Alerts-how-it-will-work/td-...

 

And some more up-to-date independant information:

https://wiki.openrightsgroup.org/wiki/TalkTalk_HomeSafe

 

It seems that all URLs are monitored regardless of whether you sign-up to the services or not. What is new here is that they are now emailing non HomeSafe users after the fact which means they must be recording who made the DNS request.

Highlighted
Community Team - TT Staff

Hi ITTroll, I'm told the specific information isn't available. I'm not sure why you've received the mail 3 times, but I've raised it to the team and I'll post back once they reply. 


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Highlighted
Community Star

Hi @ITTroll

 

My understanding is that the virus alerts will be direct to the Internet browser in real time not an email that would be ineffective as a real-time protection measure whilst browsing.

 

What appears to be happening now is more detailed analysis of traffic trends and implicating some IP addresses as involved in some way with those trends.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
Wizz Kid

@OCE_Ady wrote:

Hi ITTroll, I'm told the specific information isn't available. I'm not sure why you've received the mail 3 times, but I've raised it to the team and I'll post back once they reply. 


It must exist in order for the system to know to email me. I would expect they at least have the time it was triggered, but I would suspect that the requested URL is also logged. I guess I could obtain this data and the reasoning behind the automated decision through a subject access request. Hopefully the team will come back with some more specific information.

 

I do sometimes intentionally visit malicious websites (within a sandboxed envrionment) for IT security research purposes. So I'm not really surprised that this may have triggered something. But this is exactly why I have these features turned off on my account; or thought I did...

 

Highlighted
Community Team - TT Staff

The team responsible have advised that you and all customers who receive the mail should only be receiving 1 copy. I've not been given the details, but the cause of the problem has been identified and corrected. My opinion and please believe me this is only my opinion not that of the company is that most people who aren't using the free SuperSafeBoost probably have no or poor AV software. Obviously it's in everybody's' interest to have as many customers as possible using at least the free version on their main device to protect themselves and the rest of the network. I suspect that is one of the main reasons along with of course upselling customers to the £2 per month for 8 licences. I think the motivation was good, but we didn't execute as well as we could have. 


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Highlighted
Wizz Kid

Thanks for the update. So do we think that the emails went out as a mailshot to all non SuperSafe customers who have simply visited a URL which has been blacklisted by the Huawei SIG? If so, sending an email with the subject, "we may have found a virus on your device", is rather alarmist.

 

I run Kaspersky on my main workstation. A full scan show 0 issues, as does a full scan with Malwarebytes. I am not at all concerned about virus alert itself, as I believe it would have originated from one of my sandboxed VMs. I am however concerned that the HomeSafe system has recorded my activity, which is something TalkTalk have always claimed was anonymous.

Highlighted
Community Team - TT Staff

I doubt it went to all in one go and I'm sorry, but I've got absolutely no idea who the DNS identifies the downloaded virus issue.


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Highlighted
Wizz Kid

I doesn't really matter how, what really matters is that they have. The previous official statement on this was as below. This can no longer be true as customers have received personlised emails which are being used to market additional services.

 

"Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers."

Highlighted
Team Player

@OCE_Ady wrote:

I doubt it went to all in one go and I'm sorry, but I've got absolutely no idea who the DNS identifies the downloaded virus issue.


I also recieved one of these emails, telling me that there TT has "detected a potential threat on one or more of" my devices. 

 

I want specific info, such as "a device visited a.b.c.d at hhmmss on yyyymmdd, and this is a known xyz", to indicate at least whether eg someone is visiting a dangerous website (intentionally or not) or one of my devices is infected with something that is reaching out (eg to a C&C centre).

 

That is the sort of info that TT must have, otherwise it wouldn't know to send the email, and is also the sort of info that I can use to deal with the threat that TT has detected.

 

How can I/we find out what it was that made TT send me/us that email?

Highlighted
Wizz Kid

I don't think the email was designed to inform. It is designed to panic the average non-technical user into enabling SuperSafe on their devices. It is more targeted marketing than a security advisory. The links looks like they have click tracking common to those in a mailshot campaign.

 

Highlighted
Team Player

@ITTroll wrote:

I don't think the email was designed to inform. It is designed to panic the average non-technical user into enabling SuperSafe on their devices. It is more targeted marketing than a security advisory.


That's what i thought too - shocking as that is in of itself - except that the body of the email makes a specific claim that TT has detected a potential threat on one of my devices.  There's no equivocation there.  So, I want to know what that potential threat is, so that I can act on it.

 

If this turns out to be a marketing campaign, and there never was any potential threat, TT will come out worse than when customer details were leaked. Lying to frighten your own customers does not look good.

Highlighted
Wizz Kid

@marshals wrote:

If this turns out to be a marketing campaign, and there never was any potential threat, TT will come out worse than when customer details were leaked. Lying to frighten your own customers does not look good.


I think they have detected something, most likely that you visited a URL which has been blacklisted by their network scanning bot. They are then using this browsing data as an oppurtunity to promote their security boosts.

Highlighted
Popular Poster

I’ve also received the same message.

 

I’m an IT professional and have AV software running on 4 Windows 10 devices and an iMac. All have full scans scheduled and none have reported anything suspicious.

 

Without further information how am I supposed to investigate?

 

The email they’ve sent has so little information that one could be forgiven for concluding that it’s no more than marketing which is aimed at the less tech-savvy user who is likely to take them up on their upselling in order to get peace of mind.

 

Whatever way you look at it at best its a badly constructed email and at worst its cynical marketing using fear to promote sales.

Highlighted
Conversation Starter

My dad also received this email an hour or so ago. He thought it looked suspicious, so showed it to me. I ended up finding this thread.

 

If this is a scheme to worry customers into downloading SuperSafe, this is a terrible way to do it. Why tell people that you have detected a threat when you haven't?

 

We already have our own antivirus software. We run the tests on a regular basis.

 

My dad was concerned enough to ring the call centre and ask them. A pointless exercise, but he prefers to talk to someone that he knows is from TalkTalk. She told him that the email is spam and didn't come from TalkTalk.

 

Your call centre should probably be aware that this email is being sent to customers.

Highlighted
Popular Poster

I too have had the message come through today and am alarmed. I run avast free, and don't have TT safeboost activated. I'm not at all tech savvy, so all this DNS talk goes right over my head but would be interested to know if it is likely I actually have a virus which the the AV software isn't picking up, or if this is indeed a nefarious marketing ploy to induce non tech savvy customers to activate TT stuff. Won't be very impressed if that turns out to be the case.

 

I also have concerns about TT tracking now, Can anyone tell me if the offending email could still be generated whilst running a VPN?

 

Highlighted
Popular Poster

@ITTroll wrote:

@marshals wrote:

If this turns out to be a marketing campaign, and there never was any potential threat, TT will come out worse than when customer details were leaked. Lying to frighten your own customers does not look good.


I think they have detected something, most likely that you visited a URL which has been blacklisted by their network scanning bot. They are then using this browsing data as an oppurtunity to promote their security boosts.


 

Going from that to outright stating you have a virus on one of your devices is a bit of a stretch though I'm guessing. And a bit naughty. Surely in many cases they're just sending people off on a wild goose chase to try and fix an issue that probably doesn't exist.

 

 

Highlighted
Wizz Kid

@uguay wrote:

 

I also have concerns about TT tracking now too. Can anyone tell me if the offending email could still be generated whilst running a VPN?


Using a VPN will stop anyone, including TalkTalk, from monitoring your Internet use. From what I have read, using alternative DNS servers is enough to stop HomeSafe and so may also be enough to stop this unsolicited monitoring.

 

https://help2.talktalk.co.uk/using-3rd-party-dns

Highlighted
Popular Poster

@ITTroll wrote:

@uguay wrote:

 

I also have concerns about TT tracking now too. Can anyone tell me if the offending email could still be generated whilst running a VPN?


Using a VPN will stop anyone, including TalkTalk, from monitoring your Internet use. From what I have read, using alternative DNS servers is enough to stop HomeSafe and so may also be enough to stop this unsolicited monitoring.

 

https://help2.talktalk.co.uk/using-3rd-party-dns



Ok that's good to know. Thanks for clarifying that. (and I appreciate the link)

Highlighted
Wizz Kid
Solution

This story has now been picked up by a news site:

https://www.ispreview.co.uk/index.php/2018/04/snooping-talktalk-security-feature-causes-customer-con...

 

It includes a statement from TalkTalk:

“We are continually investing in new ways to protect our customers and helping them to keep their devices free from malware is a top priority for us.

Our systems are able to identify devices that may have been infected with malware if they’ve connected to our network. These checks are done in the background and at no point do we monitor customers’ browsing history. Our recent awareness campaign was launched to inform our customers of the potential risks and provide tips on how to clean up their devices. We think it’s the right thing to do, so that our customers can keep their devices safe and running as well as they possibly can.”

 

This confirms that TalkTalk are now cross-referencing detection data to identify customers who have been flagged by their network scanning systems. Something they previously stated they did not do.

Highlighted
Wizz Kid

For those wanting to try out alternative DNS servers then Google's servers are probably the most popular; 8.8.8.8 and 8.8.8.4

 

However, if you'd rather not use Google then Cloudflare now also offer public DNS which is very fast and topping the benchmarking charts; 1.1.1.1 and 1.0.0.1

 

Both are much faster than those from your typical ISP, maintain privacy and are unfiltered. More information here:

You can either configure a single device to use these, or configure your router so that all devices in your household use the same settings.