Epsilon Breach Raises Specter of Spear Phishing

Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.

Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.

Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).

Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.

“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

Crooks used very similar spear phishing methods to steal customer contact information from dozens of email marketing firms late last year, as KrebsOnSecurity.com first reported in detail. In the wake of that assault, data spills at other email marketing firms like SilverPop have prompted disclosures from clients such as TripAdvisor and Play.com.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

“There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”

Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”

“To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”

Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.

“The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected.  Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.

“Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.

The stock price for Epsilon’s parent company, Alliance Data Systems Corp. (NASDAQ: ADS) was down $4.77 per share, or 5.55 percent, in mid-day trading Monday.

Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.

Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.

Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.

Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.

Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.

Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.

  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • GlaxoSmithKline
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Lacoste
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • M&T Bank
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Scottrade
  • Smith Brands
  • Target
  • TD Ameritrade
  • TIAA-CREF
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

Оставьте комментарий