How Phishers Will Use Epsilon Data Against You

By B.K. DeLongThere has been a lot of online venting and hand-wringing in the week since customers of email services provider Epsilon began informing millions of individuals in North America and Europe that their name and e-mail address had  been stolen in a massive data breach. In the week since the breach, there have been emphatic warnings about the potential for phishing attacks against the customers of Epsilon clients like Citi, Mariott, MoneyGram and Dell.  But does the theft of names and e-mail addresses constitute a major breach of personal privacy that consumers should be concerned about? I believe it does.

BK DeLongBy B.K. DeLong

There has been a lot of online venting and hand-wringing in the week since customers of email services provider Epsilon began informing millions of individuals in North America and Europe that their name and e-mail address had  been stolen in a massive data breach. In the week since the breach, there have been emphatic warnings about the potential for phishing attacks against the customers of Epsilon clients like Citi, Mariott, MoneyGram and Dell.  But does the theft of names and e-mail addresses constitute a major breach of personal privacy that consumers should be concerned about? I believe it does.

One useful thought-exercise is to imagine the criminals who make it their goal to learn information about people and exploit it to their advantage. Then, look at those who broke into the databases of one of the largest email marketing firms in the country to take as many customer data sets as possible and posit what they are going to do with what they have acquired. Why just sell the lists? That’s easy money. Email addresses can give them the information they need to perform some highly-targeted spear-phishing schemes.

It’s a common mistake to think that email is not considered PII – or “personally identifiable information.”

A few days ago, Brian Martin of the Open Security Foundation, noted that because the Epsilon breach involved ‘just e-mail addresses,’ that people don’t seem to care about the details of the incident like they do for RSA or A breach involving more sensitive kinds of PII.
But David Stampley, a partner at KamberLaw, LLC, has observed that email has indeed been incorporated into the category of PII, with court and FTC rulings going back almost a decade as proof. 

Changes in the way we interact online make knowledge of your e-mail address more valuable than ever. Like many of you, I’ve spent the last 13 years building a professional network. And, like you, these days I rely on that network for all kinds of things: expanding my professional connections, tapping subject experts and, of course, helping friends and acquaintances get their resumes on the desks of hiring managers. One thing I’ve discovered in the process is that you can find out quite a lot about a person from “just” their email address.

What might the criminals who broke into Epsilon do with the email lists they have?

The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors  of victim firms. According to the latest data from databreaches.net, totals are up to 57 customers including credit card providers with branded cards – Visa (notices sent for at least 3 cards),  the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts.

Second easiest? The Epsilon hackers might use the lists of addresses they stole for traditional, blind phishing schemes. The sheer volume of the Epsilon breach means that the amount of information that could be gathered just based on a massive phishing scheme could translate into substantial returns.

But what about the tech-savvy and phishing-aware consumers? The criminals don’t need to come to you – and if they do, they will be very smart and targeted about it. They will do their homework.

Email addresses are often in predictable formats these days (especially work addresses) – usually enough to give away a first and last name or first initial and last name and a domain. In many cases that is all that is needed to determine who a person is and possibly where they live or where they work. It could give them either the target’s personal email ISP domain (possible regional location) or, worse, domain for the company the target works for.

The next step would be to take a methodological approach to determine the most high-value targets – compare the domain part of the email against companies in the Fortune 500 and their executives.

With that smaller list, a good social engineer can use Google to hit up a number of sites on the Web from professional networking sites like LinkedIn (Linkedin.com)  as well as professional information aggregators like MyLife.com, Pipl.com, and PeekYou.com to gather details on an individual.

Then comes social engineering: the criminals might call up a company office or headquarters and ask to be connected to their target. If they are transferred, they now have a confirmed, viable target to begin plotting a carefully-planned spear-phishing scheme. If the target is no longer there, they simply move onto the next name on the list.

If they score a hit, e-mail messages sent to the target claiming to be from friends or business acquaintances can put key loggers, Trojan horse programs or other malware on their work computer. Alternatively, a home address might yield personal computers protected by less robust broadband or home wi-fi routers.

Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks.

With millions of consumers swept up in the Epsilon breach, including many of you readers, the question is: ‘What can I do?’ Here are my suggestions:

  • Be vigilant, aware and watchful of someone trying to use information you may not realize is out there to take advantage of your role within your company.
  • Also consider changing your account passwords on any service that utilizes your email address as a login credential when learning your email as been compromised.
  • Remember – security awareness thwarts social engineering.
  • Consider reporting suspected phishing emails – Gmail and other services let you automatically report phishing attempts and according to the databreaches.net post, you can report to the Secret Service by emailing phishing-report@us.cert.gov or the Federal Internet Crime Complaint Center (IC3) as well.

B.K. DeLong is an independent security analyst based in Boston.

Suggested articles

Discussion

  • Anonymous on

    This seems like fear mongering. The article makes a quick leap from:

    "a good social engineer" determining my first and last name associated with my e-mail address (which is already all over the internet anyway - no Epsilon security breach necessary)...

    To:

    putting "key loggers, Trojan horse programs or other malware" on my work computer.

     It's like Phase 1: Collect Underpants Phase 2: ? Phase 3: Profit

  • Anonymous on

     I'm looking for details that show a few things: 1. more than a name and enail address was stolen. Which database fields were in the same container? 2. Example of it being used in the wild. Examples 1 and 2 do not exist. Any script kiddie can parse more real email addresses, names, products mentioned, friend connections etc. out of a few hours work on facebook than these numbskulls got out of Epsilon. The meat of the story is that a mega corporation broke our trust. Not that someone walked away with common knowledge. Now if you can prove point 1 or 2 you have something to get excited about. Right now your article makes not point past someone shouting EEEEK ALIENS!

  • Anonymous on

    I found a very interesting product, I belive it will solve the phishing problem that presented here, it called Comitari Web Protection Suite (http://www.comitari.com/) - and It's the only solution of its kind in the market today, does not rely on blacklists but rather uses patent-pending algorithms that cover 0-day phishing and identity theft attempts as soon as the page is loaded.


    Thing I liked most, is that zero configuration is needed, it just works out of the box.

  • B.K. DeLong on

     I think my thoughts lost a little bit in the translation to the blog post through editing iteration with regard to explaining spear-phishing (or what happens when you stare at a paragraph for too long).

    The point I was trying to get across (more with people who used corporate email addresses than personal ones) is that once you have the ability to determine first & last name as well as place of work, you can learn a lot about a person's role as well as who & what they work with these days at their company. Just look at anyone's LinkedIn profile, contacts, and similarly-titled roles within that company.

    With that bit of intelligence you can carefully craft a spear-phishing attack (be it via email from one of those known colleagues and/or combined with phone-based social engineering) to get them to click on something like an infected PDF or Office document containing the code needed to place a key logger, Trojan or a small piece of code to enable you to grab the specific piece of intel you want. With the sheer volume of email addresses compromised in this breach, there are certainly some high-value targets out there.

    It might be pie-in-the-sky or speculation but then - how was RSA SecurID compromised?

    But you're right - as presently written, it does not convey my intent that only well-developed spear-phishing attacks would succeed in this case. Not your average email-with-an-attachment sent from a spoofed address. I hope this makes more sense?

  • Russ Cooper (NTBugtraq) on

    After reading your clarification...all of what you describe as possible is possible without Epsilon data, and having Epsilon data makes none of what you speculate any easier. Bottom line, your point is moot.

    Spear-phishing is an attempt to hook a single entity, with an exploit that would not be enticing to any other entity...if you think knowing my name or email makes that possible, think again. Spear-phishing is ridiculously rare, and typically only possible by actually compromising my associate's email account and sending me your social engineering from that valid address. Nothing in the reports of this breach come close to suggesting this will be possible.

  • Anonymous on

    Well, the more accurate information you have, the more realistic the Phishing is. If I have your name and corporate e-mail, I can try and target you for an attack... As B. K. says, just some googleing and finding your colleges in linkedin would create the illusion... Finally, It depends on you if I get success full or not.

    If not, ask the people at RSA... It's not that rare.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.