top Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Expect targeted attacks after massive Epsilon email breach, say experts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Expect targeted attacks after massive Epsilon email breach, say experts

    Database of stolen addresses is a gold mine for hackers and scammers

    April 4, 2011

    Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.

    The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.

    Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a "subset of Epsilon clients" were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs email marketing and customer loyalty campaigns for some of the country's biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank. [Emphasis and color is mine. AC]

    Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.

    Experts today said that scammers will probably put the email addresses to work in targeted attacks, often dubbed "spear phishing," that try to dupe users into divulging their log-on credentials.

    Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

    "It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users," said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.

    Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.

    HD Moore, the chief security officer at Rapid7, echoed Cluley. "People already expect to get messages from these companies," Moore said.

    Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. "This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident," said Cluley.

    But Moore and Marcus Carey, Rapid7's community manager, disagreed.

    "I think this list will have a long shelf-life," said Carey today, noting the difficulty most users have in abandoning their primary email address. "This is a really, really good list [and attackers] can use them now and for quite some time."

    The new owners of the addresses will be able to sell and resell them again and again, Moore argued.

    One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.

    "They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands," said Carey. "There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those."

    The March hack of RSA Security's network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.

    One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.

    "This list will save [attackers] a lot of the leg work they usually have to do to target individuals," said Moore. "It eliminates the first burden of [hacker] research."

    Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.

    "The model is pretty much broken," said Moore. "You now have to treat every message from these companies as suspect."

    Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is [email protected].

    "To go bravely forward is to invite a miracle."

    "Worry is the darkroom where negatives are formed."

    #2
    wasnt just banks - collegeboard.com (think FAFSA) also got hacked and uses Epsilon. We got notice yesterday...

    Comment


      #3
      I got a notice from Disney on Sunday. Now, I didn't click the link, but my computer was acting up this morning.

      Comment


        #4
        I got notices from Walgreens, Target, Disney and Chase.
        "I DECLARE BANKRUPTCY!" Ch 7 Filed 7/15/11 * 3 Minute 341 8/19/11 * Discharged 10/20/11

        Comment


          #5
          Received my notice from Kroger. This is going to get interesting........
          All information contained in this post is for informational and amusement purposes only.
          Bankruptcy is a process, not an event.......

          Comment


            #6
            Epsilon Breach Raises Specter of Spear Phishing

            April 4, 2011

            [A related article that contains a list of the affected companies. Keep in mind that some may be parent companies of other companies. AC]

            Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.

            Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.

            Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).

            Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.

            “I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said.

            “I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

            Crooks used very similar spear phishing methods to steal customer contact information from dozens of email marketing firms late last year, as KrebsOnSecurity.com first reported in detail. In the wake of that assault, data spills at other email marketing firms like SilverPop have prompted disclosures from clients such as TripAdvisor and Play.com.

            Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

            “There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”

            Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”

            “To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”

            Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.

            “The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

            Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.

            “Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

            It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.

            The stock price for Epsilon’s parent company, Alliance Data Systems Corp. (NASDAQ: ADS) was down $4.77 per share, or 5.55 percent, in mid-day trading Monday.

            Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.

            Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.

            Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.

            Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.

            * 1800-Flowers
            * Abe Books
            * American Express
            * Ameriprise Financial
            * Barclays Bank of Delaware
            * Bebe Stores Inc.
            * Benefit Cosmetics
            * BestBuy
            * Brookstone
            * Capital One
            * Citibank
            * City Market
            * The College Board
            * Dillons
            * Disney Vacations
            * Eddie Bauer
            * Food 4 Less
            * Fred Meyer
            * Fry’s
            * Hilton Honors
            * The Home Shopping Network
            * Jay C
            * JP Morgan Chase
            * King Soopers
            * Kroger
            * LL Bean
            * Marriott Rewards
            * McKinsey Quarterly
            * New York & Co.
            * QFC
            * Ralphs
            * Red Roof Inns Inc.
            * Ritz Carlton
            * Robert Half
            * Smith Brands
            * Target
            * TD Ameritrade
            * TiVo
            * US Bank
            * Visa
            * Walgreens

            "To go bravely forward is to invite a miracle."

            "Worry is the darkroom where negatives are formed."

            Comment


              #7
              Thats massive! Now all the major corporations should tighten their security systems to prevent such a serious breach.
              URL Removed by Admin

              Comment

              bottom Ad Widget

              Collapse
              Working...
              X