Expect targeted attacks after massive Epsilon email breach, say experts

Database of stolen addresses is a gold mine for hackers and scammers

Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.

The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.

Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a "subset of Epsilon clients" were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs email marketing and customer loyalty campaigns for some of the country's biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank.

Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.

Experts today said that scammers will probably put the email addresses to work in targeted attacks, often dubbed "spear phishing," that try to dupe users into divulging their log-on credentials.

Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

"It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users," said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.

Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.

HD Moore, the chief security officer at Rapid7, echoed Cluley. "People already expect to get messages from these companies," Moore said.

Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. "This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident," said Cluley.

But Moore and Marcus Carey, Rapid7's community manager, disagreed.

"I think this list will have a long shelf-life," said Carey today, noting the difficulty most users have in abandoning their primary email address. "This is a really, really good list [and attackers] can use them now and for quite some time."

The new owners of the addresses will be able to sell and resell them again and again, Moore argued.

One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.

"They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands," said Carey. "There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those."

The March hack of RSA Security's network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.

One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.

"This list will save [attackers] a lot of the leg work they usually have to do to target individuals," said Moore. "It eliminates the first burden of [hacker] research."

Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.

"The model is pretty much broken," said Moore. "You now have to treat every message from these companies as suspect."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags american expressCybercrime and Hackingrsa securitysecurityvisaMalware and VulnerabilitiesCapitaBest Buy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?