Attacks/Breaches
4/11/2011
06:55 PM
Connect Directly
RSS
E-Mail
50%
50%

Epsilon Fell To Spear-Phishing Attack

Breach apparently lasted for months despite warning of targeted attacks against email service providers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The breach of Epsilon, the world's largest email service provider, has put the customers of at least 50 major companies at risk from targeted phishing attacks, aka spear phishing, which use fake yet personalized emails to trick people into disclosing personal information, including passwords and financial details.

In an ironic twist for a company entrusted with sending an estimated 40 billion emails per year, the Epsilon breach apparently stemmed from the company having itself been spear phished.

Furthermore, according to Australia's iTnews, Epsilon failed to heed a November 2010 security alert from the email intelligence group at Return Path, one of its business partners, that attackers had recently been targeting email service providers (ESPs) like Epsilon via spear phishing attacks.

Return Path included a sample message with its alert, noting that it "has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet." In addition, it said, "sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations."

The sample phishing message shared by Return Path included a link, which if a user clicked on it would attempt to download three pieces of malware. They were Win32.BlkIC.IMG, which disables antivirus software and which many antivirus programs -- at least at the time--couldn't detect. The other two malware applications were iStealer, which is a keylogger, and CyberGate, a remote administration tool.

According to iTnews, spear phishing attacks resulting from a breach of Epsilon began appearing in early December, starting with Walgreens. But Epsilon apparently didn't discover that its systems had been breached until it installed software, in February 2011, designed to spot unusual--and potentially malicious--information access patterns. By then, stolen data included information relating to the customers of at least 50 companies, including Best Buy, Citi, Hilton, LL Bean, Marriott, Target, TiVo, and Walgreens.

According to Epsilon, attackers stole only 2% of its customer data. But given that the company provides email marketing services for more than 2,500 companies, and by some estimates stores 250 million emails, that's a sizeable breach.

Furthermore, the number of companies warning that their customers are at risk has been expanding, with the Better Business Bureau warning that customers of any affected companies were at risk.

The Epsilon breach highlights that with the growth of cloud services, one data breach can be a single point of failure for numerous organizations. "Outsourcing and the cloud are buzzwords of the 2010s--their many evangelists will assure you that cloud-sourcing your high-volume Internet services is certain to save you money, improve your up-time, and boost your security," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "After all, if you leave a job such as direct marketing--or email, or office automation, or authentication -- entirely to the specialists, you're bound to have experts on the job who are at least as switched on about security as you are."

Furthermore, entrusting a single company with data on so many people makes it an attractive target for attackers, which may in fact place customers at greater risk of having their personal information stolen.

Of course, customers also won't be holding just the ESP responsible. "The real lesson to be learned is that companies are still responsible to their customers for incidents like this, even if the fault lies with an outsourcer," security analyst John Pescatore, a vice president at Gartner Inc., said in the SANS Newsbites newsletter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.