Epsilon--the largest distributor of permission-based email in the world--revealed that millions of individual email addresses were exposed in an attack on its servers. While no other information was apparently compromised, security experts are warning users to brace for a tidal wave of more precise spear phishing attacks.
Epsilon is responsible for sending more than 40 billion marketing emails per year on behalf of its 2500-plus customers. These emails are not spam in the Rustock botnet sense of the word. These email messages are marketing and customer communication emails from major clients such as JP Morgan Chase, Capital One, CitiGroup, and others.
Andrew Storms, Director of Security Operations for nCircle, commented, "There's no doubt you or someone you know has been affected because the list Epsilon has published looks like a slide of the most impressive customers from a sales presentation."
Let's take a look at what we know about the Epsilon data breach, and what you need to do now to protect yourself from any fallout as a result of the attack.
The press release from Epsilon was terse, and Epsilon has not been very forthcoming with additional details. The good news is that Epsilon seems to have detected the breach quickly, and did not waste any time notifying its customers. Those customers have subsequently not wasted any time communicating with individual users. I have received two emails already today from affected financial institutions.
Randy Abrams, director of technical education at ESET, says "I have not yet seen details of how the breach occurred. An SQL injection attack would be a decent guess, but it is only a guess. How it happened will only be important to lawyers trying to sue for negligence."
What Is The Risk?
The fact that the breach only exposed email addresses--and not any additional personal or account information--is great news. The primary risk is that the attackers now have a list of millions of verified active email addresses to target with spam and phishing attacks.
If the attackers were able to get not just the email address, but also its affiliation with one of Epsilon's customers, that will yield much more precise spear phishing attacks. Phishing is like casting a net. Spear phishing is narrowed down to a specific domain or company. But, these attacks would be to known email addresses that are also known to have a relationship with the company being spoofed in the attack--more like spear phishing with laser sighting and computer-guided telemetry.
Amol Sawarte, Vulnerabilities Lab Manager for Qualys, explains, "Phishing' scams are the number one concern from this breach. Hackers could send fake emails pretending to be your bank, pharmacy, hotel or other business that were customers of Epsilon. The email will look real and will be convincing as attackers have the customer's name and the company information that they did business with. The email could ask unsuspecting users to click on a link which can ask for credit card numbers, run malware, install spyware or carry out other attacks."
Eset's Abrams adds, "Currently if I get an email from a financial institution that I do not do business with and it says there is a problem with my account, it is obviously a phishing attack. When phishers can tie the institution to the customer they can make a much more compelling story and will almost certainly have significantly higher success rates."
How Can I Protect Myself?
Anup Ghosh, Founder and Chief Scientist at Invincea, cautions users to remember that email as a rule is not a trusted form of communication. An email can be easily forged or spoofed to appear as if it is from another entity. " Forging an email from Best Buy or Citi is not very hard to do, along with the websites the links will take you to. The Website can look exactly the same as the Citi Website but actually be a forged Website under the control of a cyber-criminal."
Storms warns, "Consumers should be even more vigilant than usual. It pays to think twice or three times about clicking on links, even for companies you know."
Richard E. Mackey, Jr., Vice President of Consulting for SystemExperts, provides some additional insight that IT admins can put to use to protect the environment as a whole. "Companies can configure their spam filters to look for suspicious email. Administrators should also be tracking announcements from anti-virus and other security companies to keep abreast of signs of attacks that may be created to exploit the information the hackers have stolen."
It seems likely that a surge in spear phishing attacks is inevitable. Users need to exercise a healthy dose of cautious skepticism for any emails--more than usual. Even if you are a customer of the company allegedly sending the email, and even if the email looks convincingly legitimate, don't trust it.
Abrams sums up with this sage advice for users: "If you never log into a Website from a link in an email and never send your password, PIN, or other financial information in response to an email, you will easily repel almost all phishing attacks."