Epsilon Break-In... What's the Lowdown?

« Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates | Main | DOJ and FBI flex muscles: Takedown of international botnet »


Epsilon Break-In... What's the Lowdown?

Kevin R. Smith

By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.

Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.

But, it wasn't just banks that were hit.

It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)

Companies Affected by the Epsilon Break-In (So Far)
  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Smith Brands
  • Target
  • TD Ameritrade
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

Alright, so what's the big deal?

Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.

While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.

And, that's where a part of this becomes especially tricky.

If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.

(N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)

Now image your email sent to your-name@example.com addressed to YOU in the email and looking and sounding like it's coming from Target.

Imagine something like the following:

Subject: Get a $100 Target gift card... on us!
From: Target Stores <"survey-rewards@target.com">
Date: April 7, 2011
To: Nicole Campbell <"ncampbell@example.com">
Hi Nicole,

Thanks again for your recent Target purchase!

We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.

As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.

Click here to get started.

Thanks again,
Your friends at Target and Target.com

And, here's where the scam is just unfolding.

Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.

Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.

In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.

Why? How are they making money if the software is free?

There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:

You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.

Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.

Now, back to our Target example.

There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware

  1. You need our special free "survey software"
  2. Your browser needs a special free plug-in to take the survey
  3. You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card

The list could go on-and-on.

So here are the take home messages from the Epsilon break-in:

  1. Use your head when it comes to messages emailed to you
  2. Just because something is addressed to you and addresses you by your name, doesn't make it legit
  3. Does the email have "free" offers or ways to earn gifts or money for very little work
  4. Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
  5. How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.

    Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
  6. Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.

These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.

I cannot even once think of a legitimate bank or credit card email requiring this.

And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.

While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.


You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.