Security experts warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.
The addresses will also be invaluable to attackers playing in the high-stakes game of hacking major corporations like the one that RSA Security disclosed last month, a researcher added.
Last week, Irving, Texas-based Epsilon admitted that names and email addresses of a “subset of Epsilon clients” were accessed by hackers. Epsilon, which sent 6.5 billion messages in 2009, runs e-mail marketing and customer loyalty campaigns for some of the country’s biggest banks, credit card companies and retailers, including American Express, Best Buy, Citibank, Capital One, Kroger, Visa and U.S. Bank.
Those companies and others have acknowledged the Epsilon hack, and warned their customers to be wary of spam, according to a list compiled by security blogger Brian Krebs.
Get Macworld’s tips on avoiding e-mail scams
Experts said Monday that scammers will probably put the e-mail addresses to work in targeted attacks, often dubbed “spear phishing,” that try to dupe users into divulging their log-on credentials.
Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers’ and businesses’ bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.
“It will be no surprise if the addresses are used for targeted attacks, whether spear phishing or to deliver malicious links to users,” said Graham Cluley, a senior technology consultant with U.K.-based security company Sophos.
Recipients unaware of the Epsilon hack will be more likely to click on such links or open malware-infected attachments because the incoming messages are from a company with which they have an established relationship, said Cluley.
HD Moore, the chief security officer at Rapid7, echoed Cluley. “People already expect to get messages from these companies,” Moore said.
Cluley thought that the danger might be greater in the future, after the news of the Epsilon breach has quieted. “This is in the news now, but the email addresses could be exploited in 6 or 12 months, long after most people have forgotten about the incident,” said Cluley.
But Moore and Marcus Carey, Rapid7’s community manager, disagreed.
“I think this list will have a long shelf-life,” said Carey today, noting the difficulty most users have in abandoning their primary email address. “This is a really, really good list [and attackers] can use them now and for quite some time.”
The new owners of the addresses will be able to sell and resell them again and again, Moore argued.
One sale, said Moore and Carey, would be to hackers hoping to break into the network of a large company, or a government agency. For example, the database could easily be mined for very specific addresses, those belonging to employees at certain companies, workers at government agencies or military personnel.
“They could go after Cisco or RSA employees whose addresses were used to contact the banks and brands,” said Carey. “There will be lots of corporate and .gov and .mil addresses in the database, and someone will target those.”
The March hack of RSA Security’s network began with just such a targeted attack, the company confirmed last week. According to RSA, hackers gained access to its corporate network and lifted information about its SecurID two-factor authentication products after sending messages to a small number of employees.
One of those workers opened a malicious Excel attachment that contained an exploit of a then-unpatched vulnerability in Adobe Flash, giving the attackers the foothold they needed.
“This list will save [attackers] a lot of the leg work they usually have to do to target individuals,” said Moore. “It eliminates the first burden of [hacker] research.”
Cluley, Moore and Carey had little advice other than to refrain from clicking on links embedded in email messages.
“The model is pretty much broken,” said Moore. “You now have to treat every message from these companies as suspect.”