‘Spear Phishing’ Season to Follow Epsilon Data Breach
April 5, 2011 Alex Woodie
It won’t be as easy as shooting fish in a barrel. But thanks to a major data breach involving millions of email address by third-party marketing company Epsilon, cyber criminals will get a leg up on their targeted email phishing campaigns, an activity security experts call “spear phishing,” just in time for the summer season.
On April Fool’s Day, Epsilon posted a not-so-funny notice on its website informing the world that it had been hacked the day before, and that it lost some of the names and email addresses that it stores on behalf of its customers.
This is a big deal, because Epsilon is one of the world’s biggest high-tech marketing consultancies. The Dallas, Texas-based company, which is owned by the publicly traded Alliance Data Company, bills itself as the “world’s largest permission-based email marketing provider.” In that capacity, it sends 40 billion emails per year on behalf of its clients, which include seven of the 10 biggest companies in the world, and about 2,500 smaller fry.
Affected Epsilon customers immediately started issuing warnings to their customers, which is a now a legal requirement for large data breaches. The exact scope of the breach hasn’t been disclosed, but by all accounts it’s massive; some security firms are calling it possibly the biggest breach ever.
Customers with the following companies have received notices that their names and email address were accessed by the Epsilon hackers: Ameriprise Financial, Barclays Bank, Best Buy, Brookstone, CapitalOne, Citibank, Disney, Home Shopping Network, JPMorgan Chase, Kroger, L.L. Bean, Marriott, McKinsey & Company, New York & Company, Ritz Carlton, TiVo, US Bancorp, and Walgreens. (For what it’s worth, there are at least a couple of IBM i shops in this list.)
The compromised information consists primarily of names and email addresses of customers. The hackers, for the most part, did not get access to more sensitive information. This is not a repeat of the 2007 incident where TJ Maxx lost 46 million credit and debit card numbers to a “drive by” hacker snooping on open networks.
While there was no compromise of what most people would call personally identifiable information (PII), the email addresses managed by Epsilon were especially valuable, because of the “permission-based” part, which means the owners of the email addresses had given companies their permission to email them.
This gives cyber criminals an advantage, according to security researchers at Rapid7, a developer of vulnerability management and penetration testing software and services. “Hackers will now have more details on their victims and the fact that attackers will now know information about on who people trust to send them email is a big deal,” says HD Moore, the CSO of Rapid7 and the founder of Metasploit.
Attackers will be able setup precise “spear-phishing” campaigns as a result of the hack, Moore says. “These are more targeted attacks using information on the target’s behavior, such as where they shop, where they work, or what bank they use,” he says. “Based on the additional information hackers can craft phishing emails with malicious content that are more likely to be opened, downloaded, or clicked-on.”
Considering the scope of this breach and the brands involved, consumers may want to think carefully before clicking on an email from their favorite bank, retailer, or hotel that has an amazingly good offer. Like your mom said, if it’s too good to be true, it probably isn’t.