Expect targeted attacks after massive Epsilon email breach, say experts

Database of stolen addresses is a gold mine for hackers and scammers

Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.

The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.

Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a "subset of Epsilon clients" were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs email marketing and customer loyalty campaigns for some of the country's biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank.

Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.

Experts today said that scammers will probably put the email addresses to work in targeted attacks, often dubbed "spear phishing," that try to dupe users into divulging their log-on credentials.

Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

"It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users," said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.

Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.

HD Moore, the chief security officer at Rapid7, echoed Cluley. "People already expect to get messages from these companies," Moore said.

Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. "This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident," said Cluley.

But Moore and Marcus Carey, Rapid7's community manager, disagreed.

"I think this list will have a long shelf-life," said Carey today, noting the difficulty most users have in abandoning their primary email address. "This is a really, really good list [and attackers] can use them now and for quite some time."

The new owners of the addresses will be able to sell and resell them again and again, Moore argued.

One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.

"They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands," said Carey. "There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those."

The March hack of RSA Security's network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.

One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.

"This list will save [attackers] a lot of the leg work they usually have to do to target individuals," said Moore. "It eliminates the first burden of [hacker] research."

Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.

"The model is pretty much broken," said Moore. "You now have to treat every message from these companies as suspect."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags american expressCybercrime and Hackingrsa securitysecurityvisaMalware and VulnerabilitiesCapitaBest Buy

More about Adobe SystemsAmerican Express AustraliaAppleCapital OneCiscoCitigroupEpsilon InteractiveetworkExcelMicrosoftRSASophosTopicVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts