Spear phishing wave could follow hack of e-mail marketer Epsilon

April 4th, 2011

The Epsilon hack, in which potentially millions of consumers names and e-mail addresses were pilfered, is the latest in a running series of similar disclosures.

Comodo, which manages the digital certificates used to authenticate websites, such as Google, Yahoo, Skype and Windows Live, last month disclosed that intruders stole the means to create faked websites that look and behave like the real ones.

And RSA, the security division of EMC, recently disclosed that intruders gained access to the technology behind RSA security tokens, small devices that issue one-time pass codes generally used for accessing sensitive corporate accounts.

“It’s getting harder for companies to hide when they’ve had a security breach,” says cybersecurity blogger Brian Krebs, of KrebsOnSecurity.com. “Attackers are using the stolen data in ways that are harder for victim organizations to conceal.”

The cost for Epsilon, a Dallas-based firm that provides e-mail marketing and other services for some 2,500 large companies, could be very high.

Epsilon has alerted Citigroup, JP Morgan Chase, U.S. Bank, Barclays Bank, Best Buy, Hilton WorldWide, Marriott International, Disney Destinations and The College Board, the firm that runs the SATs, among others, that their respective customers’ names and e-mail were stolen.

The companies, in turn, have been sending e-mail warnings to their respective customers.

By correlating specific names and e-mail addresses to information about where a person banks and shops, cyber crime gangs can fine-tune so called spear-phishing attacks. Spoofed messages can be customized to trick specific individuals into clicking on a viral attachment or poisoned web link. The intruder then takes over full control of the victim’s PC.

The infected PC is then used to pitch worthless software or drugs or to steal from the victim’s online accounts. Elite gangs can use infected PCs as footholds to probe deep inside of company networks, as LastWatchdog reported just last week in this cover story and accompanying video.

The next time you get an e-mail from your favorite store with an amazing offer, you may want to think twice,” says Marcus Carey, community manager at penetration testing firm Rapid7.

Disclosing a breach could have lasting damage, and perhaps set precedent that will give a boost to tech security suppliers and consultants. “One hacker can easily take away years of built up consumer and partner trust,” says Hemanshu Nigam, CEO of consultancy SSP Blue.

Loss of clients and even lawsuits are possible, if not probable, says Kevin Lee, CEO of online marketing consultancy Didit. “Epsilon has a huge way to go to earn back the trust of its clients,” says Lee.

Here are observations from other experts:

HD Moore, Chief Security Officer, Rapid7

Moore

“Some people are commenting that this breach is not a big deal because the initial reports states that only names and emails where breached. However, while a name and email is not a big deal by itself, when you have a large list of these for each organization it simplifies a targeted attack.

Attackers will now have more details on their victims and the fact that attackers will now know information about on who people trust to send them email is a big deal. Users have opted into a trust relationship with those who where breached.”

Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Kenney

“The recent breaches show that hackers will use every possible tactic to steal data. There have been several significant breaches in the past few weeks – and the respective hackers used completely different penetration methods in each instance. RSA experienced a database attack; Comodo was hit with a SQL injection attack. And now with Epsilon, hackers went straight for the company’s email system.

The number of data breaches isn’t necessarily rising; Companies are reporting the breaches faster, and finally understand the consequences of waiting. Customer expectations have also transformed. Breached customers they need a letter with specific information about what was breached, what they need to do, and how and when it will be resolved.”

More so than ever before, companies are trying to get out ahead of negative publicity when it comes to data breaches. Companies like Epsilon, RSA and McDonalds were quick to get in front of potential victims…their customers.”

Mark Bower, Vice President, Voltage Security

Bower

“The most noteworthy thing about the Epsilon breach is the visibility. This breach affects millions of consumers. This is not just a corporate breach – the extent of this one is felt by the consumer, who has to be wondering why, in today’s world, their data still isn’t being protected?

When data can be converted into cash, there will always be breaches. It’s as simple as that. It’s also a fact that it’s never been easier to protect data, so there are no excuses for breaches like this to occur. It’s entirely preventable and, in fact, it’s the only way to avoid both disclosure and the ripping apart of consumer confidence.”

Steve Shillingford, President and CEO, Solera Networks

Shillingford

“Breaches we’re seeing now from Epsilon and RSA and others make is very clear that no network is safe. The hackers will get in. The details of this attack are vague. Epsilon was quoted as saying ‘Can’t confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time.’

The list posted keeps changing, apparently as more of Epsilon’s customers become aware that they’ve been compromised….kind of straggling in.”

Until organizations like Epsilon can move beyond speculation and into a state of awareness about what is actually happening on their networks and to their data and customer records, we all linger in a vague state of uncertainty and remain highly vulnerable to being compromised by one threat after another.

Dick Mackey, vice president of consulting at SystemExperts

Mackey

“Breaches happen all the time. They are inevitable. What we’re witnessing is two things. First, companies have better security programs in place and are more aware of the breaches that occur. Second, companies are feeling more regulatory pressure to notify.

Perhaps most noteworthy is the disclosure itself. In the past, many breaches went unreported. With this breach we saw rapid reporting even though only email addresses and first names were compromised.

But when one company reports, the others feel pressure to do the same. This is great example of why companies must have a mechanism in place – with their service providers- for protecting and notifying customers.

We are dealing with smarter, more coordinated hacking communities than ever before. In a way, the same social media mechanisms that are allowing rebels in countries around the world to communicate with each other, are allowing these breaches to take place.”

By Byron Acohido