Expect targeted attacks after massive Epsilon email breach, say experts

Database of stolen addresses is a gold mine for hackers and scammers

Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.

The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.

Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a "subset of Epsilon clients" were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs email marketing and customer loyalty campaigns for some of the country's biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank.

Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.

Experts today said that scammers will probably put the email addresses to work in targeted attacks, often dubbed "spear phishing," that try to dupe users into divulging their log-on credentials.

Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

"It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users," said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.

Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.

HD Moore, the chief security officer at Rapid7, echoed Cluley. "People already expect to get messages from these companies," Moore said.

Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. "This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident," said Cluley.

But Moore and Marcus Carey, Rapid7's community manager, disagreed.

"I think this list will have a long shelf-life," said Carey today, noting the difficulty most users have in abandoning their primary email address. "This is a really, really good list [and attackers] can use them now and for quite some time."

The new owners of the addresses will be able to sell and resell them again and again, Moore argued.

One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.

"They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands," said Carey. "There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those."

The March hack of RSA Security's network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.

One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.

"This list will save [attackers] a lot of the leg work they usually have to do to target individuals," said Moore. "It eliminates the first burden of [hacker] research."

Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.

"The model is pretty much broken," said Moore. "You now have to treat every message from these companies as suspect."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Tags Cybercrime and Hackingamerican expressvisasecurityrsa securityCapitaMalware and VulnerabilitiesBest Buy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?