Spear Phishing: The Real Danger Behind the Epsilon Data Breach
By now, many have heard about the data breach at Epsilon, a marketing company that sends e-mail messages and claims to be "the world's largest permission-based e-mail marketing provider." According to their website, they send, on average, 109 million e-mail messages a day.
It has been reported that the only data lost by Epsilon were names and e-mail addresses.
I am skeptical of this for three reasons.
First, an article in the Wall Street Journal says that Epsilon specializes in things like not sending winter coat ads to someonline living in Florida. Doing so implies they have more information than just names and e-mail addresses.
Also, the company has said that they are limited in what they can disclose publicly due to ongoing investigations. Finally, David Perry, the director of public education for Trend Micro, who is much more up on these things than I am, said on The Personal Computer Show that other data was probably stolen.
Roughly 50 companies had their data leak from Epilson; among them: Kroger, US Bank, JPMorgan Chase, Capital One, Citi, Ameriprise Financial, Ritz-Carlton Rewards, Marriott Rewards, Hilton Honors, Brookstone, Walgreens, Disney Destinations, Best Buy and the Home Shopping Network. Databreaches.net has a longer list.
As the list implies, Epsilon is also involved in loyalty programs, another indicator that they store more than just names and e-mail addresses.
Needless to say, this data breach will result in more spam. But, the bigger danger is spear phishing. Spam is an annoyance, phishing may be dangerous but spear phishing is much more likely to be dangerous.
Phishing e-mails are scams designed to trick the victim into divulging personal information.
One common tactic is threatening to close your account unless you follow the instructions in the e-mail. Another popular scam asks the victim to confirm information after suspicious activity in their account. Or, the lie may be that security is being improved and this requires the confirmation of assorted personal information. JPMorgan Chase warns that:
"... phishing e-mail usually takes an urgent or demanding tone, telling you to act immediately to verify or update personal information such as bank account numbers, user names/passwords, credit card account numbers - even your Social Security Number."
Phishing e-mails can often be detected as such, both because the scammers don't know anything about the victim (a note from a bank where you don't have an account, for example) and because they may send out tons of identical e-mails.
Spear phishing is much harder to detect, for both these reasons. As the name implies, these scams are more directly targeted, meaning there are few e-mails for spam filters to latch on to. Also, the bad guys know something about their target, making the scam much more likely to appear legit.
Computerworld reporter Gregg Keiser writes:
To illustrate the danger of spear phishing, consider Condé Nast. The Wired Threat Level blog just wrote about how their corporate parent was scammed:
Someone at Condé Nast took the bait, and for about 1.5 months, they paid the bad guys rather than their actual printer. In total, they falsely paid out roughly $8 million.