Epsilon Data Breach Paves Way for Phishing, Security Pros Warn


As the list of companies affected by the Epsilon e-mail breach continues to grow, security professionals are warning that the public should expect to see an onslaught of targeted phishing attacks.

Epsilon, which is owned by Alliance Data and offers marketing services for more than 2,500 companies, warned its customers April 1 that on March 30, an attack on the company’s e-mail system had been detected. According to Epsilon, the attack exposed e-mail addresses and or customer names for roughly two percent of the firm’s clients. In light of the disclosure, dozens of companies that do business with Epsilon have issued warnings of their own, including Best Buy, Walgreens and Marriott International.

But while the attack may not have yielded sensitive information such as social security numbers or credit cards, the e-mail addresses could be gold for spammers and others looking to target users, security pros told CRN.

“The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with,” blogged Joris Evers, director of worldwide public relations for McAfee. “This collection could be a treasure trove for cyber-attackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses. For example, an attacker could craft email messages that look like they come from a trusted brand such as Best Buy or Walgreens and target individuals that are known to be customers of those businesses.

“An e-mail message could, for example, ask an individual to confirm a recent order or to reconfirm payment,” he continued. “These kinds of tactics, called phishing and spear phishing, are known to be effective cyber-attacks and are amongst the top complaints received by the FTC and FBI.”

According to Symantec’s March State of Spam and Phishing report, overall phishing increased by 38.56 percent in February. In addition, phishing Web sites created by automated toolkits increased by about 50.33 percent.

"This breach of email addresses and names will enable criminals to create highly targeted spear phishing emails to steal usernames and passwords, or to distribute banking malware,” said Dave Jevans, chairman of IronKey, whose company announced its new Trusted Access Elite Channel Program Monday to protect online banking customers from phishing e-mails and malware.

Due to the nature of how e-mail works it is not possible for everyday users to distinguish between e-mail sent by their institution or by hackers, explained Amol Sarwate, vulnerabilities research lab manager at Qualys. End users should question whether or not the sender normally contacts them by e-mail and whether or not the institution typically asks them for personal information, such as social security numbers and credit cards, the researcher added.

“Users should not trust e-mails even if they have official logos or when the color scheme and other look-and-feel elements look exactly like their institution,” said Sarwate. “It is very easy to use these human elements and trick the brain to the impulse of clicking. After all it just takes one click for a compromise.”