Expect targeted attacks after massive Epsilon email breach, say experts

Database of stolen addresses is a gold mine for hackers and scammers

Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.

The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.

Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a "subset of Epsilon clients" were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs email marketing and customer loyalty campaigns for some of the country's biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank.

Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.

Experts today said that scammers will probably put the email addresses to work in targeted attacks, often dubbed "spear phishing," that try to dupe users into divulging their log-on credentials.

Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

"It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users," said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.

Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.

HD Moore, the chief security officer at Rapid7, echoed Cluley. "People already expect to get messages from these companies," Moore said.

Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. "This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident," said Cluley.

But Moore and Marcus Carey, Rapid7's community manager, disagreed.

"I think this list will have a long shelf-life," said Carey today, noting the difficulty most users have in abandoning their primary email address. "This is a really, really good list [and attackers] can use them now and for quite some time."

The new owners of the addresses will be able to sell and resell them again and again, Moore argued.

One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.

"They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands," said Carey. "There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those."

The March hack of RSA Security's network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.

One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.

"This list will save [attackers] a lot of the leg work they usually have to do to target individuals," said Moore. "It eliminates the first burden of [hacker] research."

Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.

"The model is pretty much broken," said Moore. "You now have to treat every message from these companies as suspect."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Best Buyvisarsa securityamerican expressMalware and VulnerabilitiesCybercrime and HackingCapita

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?