News broke yesterday of epsilon.com being breached almost a week earlier. While none of us had really heard about them before that, they’ve been reported to send out over 40billion spam emails a year on behalf of over 2,500 clients of theirs. Threatpost has just published a list of known companies affected. It’s unknown how many companies are affected overall, as epsilon.com has not disclosed this, or the details on the breach other than they claim it is being investigated. Clients have been notified from many organizations, for example this email went out to Best Buy customers yesterday:
On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.
What I find most interesting is the claim that only your email address has been compromised. While this may seem rather innocuous on the surface, when you consider the scale of just Best Buy customers alone, this has the potential for a large phishing attack.
What is worth noting, is that I’ve also seen it reported now that not only email addresses, but full names and amount of reward points has also been disclosed. This is important for two reasons, it means that the earlier claim that only email addresses had been compromised is not true. What is the penalty for an organization providing such false information? Nothing I’m aware of, which essentially motivates organizations to falsify their disclosures, perhaps this should be changed legislatively.
Also, it increases the ability to launch a successful phishing attack, as you’d be more likely to trust someone with such information. For example, if you got an email from Best Buy right now, using your name and email address, and said, “We see you have 44,100 reward points, as a thank you for being such a valuable customer, we’d like to offer you:
- our new coupon software which if you download now gets you an extra 10,000 reward points! (really, it would be a virus/trojan)
- double the reward points if you login to our website in the next 24 hours to redeem them (it’s a fake login page, which is logging what password you enter)
- a trip to the Caribbean for an all expenses paid trip for a week for only $99! (link page asks for credit card)
ok you get the point. Many people could be vulnerable. How many? We have no idea. Everyone seems to be tight lipped about the breach, so we’re all left speculating.
What can you do?
- Don’t trust emails that look like they come from an organization you trust. It’s easy to fake (spoof) emails to look like they came from someone else.
- Don’t click links in emails without hovering over the link with your mouse first, and seeing the URL it really links to
- Don’t ever trust a website link with @ in it. For example, http://bestbuy@abebooks:privasectech.com may look sort of official, but really that means login to privasectech.com with username bestbuy and password abebooks. Same to be said with other hostnames like bestbut.privasectech.com or abebooks.amazon.privasectech.com. Just because it has the trusted name in the URL, all of these links would really send you to PrivaSecTech.com.
- Don’t give any personal information on the telephone ever to someone who calls you. It’s now easy to spoof callerid as well. I can call you from BestBuy’s telephone number, for example. So even if someone calls you from what looks like a trusted phone number, and knows your name, email address and reward points, or any other personal information, doesn’t mean they are who they say they are. Tell them you will call them back, and look up their phone number from a trusted source and call that number.
- Tell your friends and family, so they don’t become a victim.