Why data thieves covet permission-marketing e-mail addresses

Data thieves have begun taking systematic aim at caches of e-mail addresses stored in support of permission-driven e-mail marketing campaigns, a cornerstone of online commerce.

The recent theft of potentially tens of millions of consumer e-mail addresses from online marketing firm Epsilon followed a spate of similar hacks last December, LastWatchdog research shows.

Last week, Dallas-based Epsilon disclosed that hackers stole an undisclosed number of e-mail addresses connected to permission marketing campaigns of 50 major clients, firms ranging from Citigroup and Verizon to Hilton and Target. Those companies, in turn, have been sending e-mail warnings to their respective customers.

In late December, American Honda Motor reported a hacker stole permission-marketing e-mail addresses for 2.2 million Honda owners and 2.7 million Acura owners. Also in December, data thieves stole 13 million e-mail addresses from the artists’ web site devianArt; 1.3 million e-mail addresses from Gawker Media and an undisclosed number of e-mail addresses from McDonalds, as reported by The Register’s Dan Goodin.

All companies that comply with the federal Can-Spam Act of 2003 communicate via e-mail with consumers only after gaining the individual customer’s permission.

So a cottage industry of online marketing firms has arisen to support permission marketing campaigns. This involves the company asking the individual consumer for express permission to send e-mails with account updates and/or promotions.

“Permission marketing has  become the norm for online banking and online shopping,” says Thomas Jelneck, President of Orlando-based Internet marketing firm On Target Web Solutions.

Exponential jump in effectiveness

And now data thieves on the cutting edge have arrived on the scene to take full advantage.

Web marketing and cybersecurity experts say there are numerous  ways scammers can  utilize e-mail addresses stolen from permission-marketing campaigns to amplify their bread-and-butter criminal activities.

“The Epsilon attack should be a wake-up call that targeted attacks are the wave of the future,” says Bit9 Chief Technical Officer Harry Sverdlove.

“It used to be that attackers would simply spam any email address they could get their hands on,” he continues.  “Those types of emails were easy to spot. But if the email appears to come from your personal bank, and to the same email address you use at the bank, the effectiveness jumps exponentially.”

LastWatchdog would like to know: Can we now expect other major third-party online marketing companies in possession of large caches of permission-marketing e-mail addresses to become breach targets?

Chenxi Wang, Vice President & Principal Analyst, Security and Risk, Forrester Research

wang

If you look at companies that handle regulated data, the part of their infrastructure that touches regulated data is strictly controlled according to some standards (e.g., PCI, FISMA, etc.), but as soon as you go outside of that domain, the maturity of security practices drops significantly. That’s why a lot of merchants who handle credit card information like tokenization, which takes them out of the scope of PCI – translation: they can spend less money on PCI.

If you extrapolate from this (and we see it all the time), companies that handle non regulated data such as email addresses, tend to have fairly relaxed security practices because they are not required to do anything better. So the first thing these companies would need to do is revisit its security policies and controls and determine whether it is doing an adequate job to protect its customers’ data.

For instance, PCI demands that you should scan your infrastructure and applications for vulnerabilities at least once per quarter. Was Epsilon doing that? I am not sure. Are any of the other major marketing companies doing that? No one knows.

Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Kenney

Third-party online marketing companies need to immediately assess their own security infrastructure, find their weaknesses, and take appropriate steps to secure their networks and databases.

Attacks against email addresses will accelerate with companies that don’t mitigate the risks associated with data breaches. These breaches will continue until the business world as a whole takes the risks more seriously. Companies and individuals should be prepared for breaches of phone numbers and other information that on the surface may seem trivial.

It’s pretty simple. Security professionals need to look at the data they store and share, determine the risk of breach and mitigate appropriately. But it’s essential that this doesn’t happen in isolation; your marketing department, sales department and other business units need to be on the same page about the value and risk associated with both trivial and sensitive information.

Gunter Ollmann, Research Vice President, Damballa.

Ollmann

Unlike other kinds of PII data that can simply be used to validate something being submitted is correct – i.e. only storing a hash of the customer credit card number or password and comparing the hashes to verify a real transaction – email addresses need to be stored in a retrievable format. Therefore difference encryption practices are need to secure the data.   Key things that these companies should be doing:

  • Encrypt the data storage and data at rest. This will prevent off-line access to the PII.
  • Key the encryption keys safe! The bad guys need them and will seek them out.
  • Given a possible delta between the time when the bad guys access/copy the encrypted PII data and them obtaining the keys, try to change the keys regularly – at least monthly.
  • Instrument the network for detecting insider threats and the presence of unauthorized and remotely controllable software (i.e. bot agents).
  • Embed tracer information in to the stored data for counter intelligence. For example, create internal-only “customer records” and monitor their access/abuse. If anyone emails that fake email address, posts something to that physical address or calls that phone number, you know you have a breach and you can work to back track the data dissemination. Using different “fake” details for different data centers and changing those details by date will also allow for the reconstruction of a timeline of the breach.

LastWatchdog would like to know: Have the massive breaches targeting PII and payment card data — of the type we saw in 2005-2009 with BofA, CardSystems, TJX, Hannaford Brothers and Heartland — peaked?

Kimberly Peretti, Director, Forensics Services, PricewaterhouseCoopers

Peretti

Payment card thefts haven’t stopped since 2009, they’ve evolved and they aren’t as visible. The attacks have continued against POS terminals, especially in the hospitality industry, and criminals have been targeting more small to mid-sized businesses.

The groups have also had the benefit of sitting on an extremely large “pot” of numbers, so it is very likely once this “pot” diminishes, we’ll start seeing larger breaches again. There is an entire criminal industry that continues to thrive on stolen financial information.

HD Moore, Chief Security Officer, Rapid7

Moore

The number of large breaches containing payment data seem to be on a downward trend due to stronger enforcement of PCI DSS, but data loss containing PII is still occurring at an alarming rate. The recent breaches by Silverpop and Epsilon have made it clear that even just the combination of email and full name is attract attacks by data thieves.

The introduction of the Massachusetts privacy law (201 CMR 17) has defined PII as any two pieces of personal information identifying an individual (name and address, phone number and address, etc). This definition lowers the bar for what can be considered as breach of personal information and has already resulted in fines.

Although announcements around the loss of payment data have declined, I don’t believe our systems as a whole have become more difficult to compromise by skilled attackers, and it may be a case that organizations simply don’t notice when their data is stolen by a smarter class of criminal.

Jose Granado, Principal, Information Security Services, Ernst & Young

Granado

The end game for cybercriminals has not changed — namely benefiting financially from the compromise of an organization, an individual, or both. The shift in “attack vector” from payment processor to ESP (email service provider) continues to signal a shift that targeted “human hacking” can yield just as good a result as going after the payment card account information directly.

The thought process of the cybercriminal has changed. Instead of spending cycles trying to compromise a payment processor, they figure why not compromise an ESP (perceived to be less secure) and let the unsuspecting users do the work for you

Emails have become a different means to the same end — financial benefit for the cybercriminal. It’s a different path to the goal of obtaining financial information. For example, if the cybercriminal has an email list that is affiliated with a banking institution, it makes it easier to craft a message that appears to be very specific to a person, hopefully enticing them to provide account/credit card information, etc.

LastWatchdog would like to know: Should we expect this emerging trend (major hacks and insider thefts targeting permissioon-marketing e-mail addresses) to accelerate?

Nicholas Percoco, Director, SpiderLabs, Trustwave

Percoco

Whoever compromised Epsilon is going to be busy for a long while making use of the those email addresses. I do expect phishing, spear phishing, and targeted email attacks to be on the rise over the next several weeks.

Given that an individual does not generally change their email address very often, many of those email addresses will have a very long shelf-life for use in the years to come.

Rony Moshkovich, Senior Manager Development, PC Tools

Moshkovich

Of course, these are low hanging fruits, since users are normally using their First.Last names in emails. That means that the underground\hackers have potentially valid names, with valid emails and with a little bit of additional effort or no effort they can easily find other details like home address, date of birth, etc and can start using ID fraud techniques for stealing money out of the victims accounts, making online purchases, etc…the potential damage to such users and to the businesses who would be exploited in ID theft is really scary mainly due to the high number of emails that have been stolen, we are talking here on millions on millions of valid emails…

Consider that someone is using his corporate email address to register to the domains that were breached in epsilon case. With that information the hacker can continue to exploit further into other organizations by utilizing different social engineering techniques…so the chain reaction to such breach could be really enormous.

Josh Shaul, Chief Technology Officer, Application Security

Shaul

Hackers have demonstrated that the email marketing industry is a soft target. The successful attacks we’ve seen recently with Silverpop and Epsilon will almost certainly serve as an invitation for others to try their luck at profiteering by stealing massive databases of email address.

Companies working with these third party online marketing companies and trusting their customer information to them need to realize they have a say in how that data is protected. It’s a reflection of their company if that information is compromised and they need to require these third party providers to prove it is protected.  It’s not just the third party that gets raked over the coals in the media; it’s also the companies outsourcing their data.

It’s time to think like the criminals do, and build our next generation of protections around what the bad guys want most – databases.

Chris Day, Chief Security Architect, Terremark

Definitely will increase. Why? Because it works and yields huge profits relative to the nearly non-existent risk.

By Byron Acohido

Web marketing and cybersecurity experts say there are several ways cybercriminals can use the stolen e-mail addresses to widen spam campaigns and amplify phishing scams. Jelneck

President

On Target Web Solutions, inc

Orlando Fla

Internet marketing firm

407 830 4550

tom@ontargetwebsolutions.com