Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/4/2011
02:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attackers Steal Major Retailers', Financial Firms' Customer Email Data

Breach at email marketing services firm Epsilon could open the door for widespread, ongoing phishing, targeted attacks

On the surface, the massive hack of email service provider Epsilon might seem relatively benign -- no credit card accounts, Social Security numbers, or source code were stolen, just millions of email addresses and, in some cases, full names. But security experts say the attack, which affects customers of major retailers and financial institutions, could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.

Last Friday Epsilon revealed it had discovered on March 30 that some of its clients' customer information was exposed by a hack into its internal email system. "The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," the company said in a statement on its website.

Since then, some of the biggest names in retail and banking have begun notifying their customers that their email information was exposed in the breach, and the list is staggering. At last count, there were some 38 companies and counting: 1-800-Flowers, AbeBooks (a division of Amazon), American Express, Ameriprise, AstraZeneca, Barclays Bank of Delaware, Benefit Cosmetics, Best Buy, Brookstone City Market, Capital One, Citi, The College Board, Dillons, Disney Destinations, Food 4 Less, Fred Meyer, Fry's, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, Lacoste, LL Bean VISA, Marriott Rewards, McKinsey Quarterly, New York & Company, QFC, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, Robert Half, Smith's, TiVo, US Bank, Verizon, and Walgreens, according to notices from some of these firms and industry sources.

More firms are expected to come forward as well. The emails and names of the victims stolen by the attackers ultimately have been, or will be, used to spam, phish, or socially engineer them for other more lucrative information, security experts say. In some cases, the customer email information included the customer's banking institution, giving the attackers even more detail to use in their spoofed messages.

"What's scary about this case in particular is that it's now easy to spoof Chase or Best Buy. If you gave your email to Best Buy, you're going to trust that the [phishing] email came from them," says HD Moore, CSO at Rapid7 and creator of Metasploit.

The stolen emails could be used for targeted attacks against corporations, using the stolen email account holders as a first step in an attack, he says. Aside from near-term phishing attacks, the email addresses could also be sold to spammers, Moore says.

What's unclear thus far is whether this latest attack is related to the attacks suffered by email marketing service providers Silverpop and ReturnPath late last year, when they were hacked and their clients' customer email databases, including McDonald's were exposed. At the time, Walgreens also announced its customer emails had been breached, but would not confirm whether the attack was via its email marketing provider.

But according to databreaches.net, Walgreens said the retailer had asked Epsilon to add more security after the late 2010 attacks that hit Silverpop as well. "Apparently, that expectation was not fully met," the spokesperson reportedly told databreaches.net, indicating that Epsilon may now be responding to a second attack.

Walgreens wouldn’t comment today beyond its official announcement: "Walgreens today announced Epsilon, a third-party vendor it uses to email promotional messages, reported an unauthorized access to its computer systems. Law enforcement authorities have been notified and are investigating the matter. Email addresses were the only information obtained in this incident."

Neil Schwartzman, a messaging industry consultant and executive director of The Coalition Against Unsolicited Commercial Email (CAUCE), who was formerly with email marketing services provider ReturnPath, notes that not all of these providers came forward publicly in the late 2010 breach. "We don't know the technical details of this breach," he says. "And we don't know if it's the same gang that hit back then or if they used the same method ... What is clear is that a significant portion of Epsilon's clients were compromised, including seven financial institutions."

The breach at Epsilon is big because it sets up phishers to conduct real-looking attacks that could ultimately also steal more sensitive and lucrative information. "What they have in hand is names, email addresses, and who people bank with. That sets things up perfectly for spearphishing attacks," Schwartzman says.

Such an attack could go like this, he says: "'Dear Neil, You know about our recent breach we wrote to you about. Please go to our database and confirm your [personal account] information. Signed, Visa.'

"This is a real problem," he says.

Dennis Dayman, a MAAWG Board member and chief privacy and deliverability officer at Eloqua, says an attacker could conceivably have emails from 10 different brands that a user normally would trust via email. "Now it has 10 different brands that could be used against you, to get information about you and your personal life," says Dayman, who says he sees the fallout lasting for two, five, or more years down the road.

What should consumers whose emails have been exposed do? Besides being wary of emails from these brands, you could take a more extreme measure and change your email address. "Change your email address. That's the only way you're going to be able [to protect yourself]," Schwartzman says. "It's incredibly depressing to have to say that."

Meanwhile, email service providers will continue to be a valuable target. Expect more attacks on these companies, experts say. "Their intellectual property is their email addresses," says Marcus Carey, community manager for Rapid7. That information then can be used to target corporate users and, in turn, their employers, he says.

And just how long attackers had possession of the emails and if they already had been using them in phishing emails is unclear, he says. "There was a window where some attackers could have been using that information," Carey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...