Over the past few months, many high-profile companies have had their customer details compromised by attackers, targeting the third-party marketing firms that hold email addresses and many other personal details.
Perhaps the most notable attack was that on Epsilon, the world’s largest permission-based email marketer. Playing host to customer details of hundreds of companies including Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card and many more, people present on the marketing lists for these companies suddenly found themselves receiving warning emails informing them that their details might have been compromised.
In a large percentage of attacks, which are specifically aimed at gathering passwords and other sensitive information, only email addresses and other personally identifiable information was stolen. This could potentially lead to an increase in e-mail spam and phishing attacks, but because the attackers know the person by their name and also perhaps knowing where they live, these attacks can be a lot more relatable and persuasive.
Reasons for the attacks are unknown, it has been difficult to apprehend the perpetrators of such attacks, making it hard to be definitive about the motivations and methods used but it is thought that many email service providers who have fallen victim were specifically targeted over time.
Graham Cluley, senior technology consultant at Sophos, speaking with us about these breaches, says that many attacks start by targeting particular employees inside these companies, with hackers “attempting to trick users into running malicious code on their computers – giving hackers the ability to spy on their activities and steal passwords”.
The Epsilon’s case, access to marketing lists were forced by an SQL injection attack, bypassing security checks and granting access to a full list of database rows and tables, requiring significant technical expertise. The lists themselves are essentially clean, perfect for attackers as a full record of a brand’s mailing list is a lot more valuable than a typical spammers’ list.
It is not known whether attackers are hired to penetrate the security of companies like Epsilon, mainly due to the fact that it is notoriously difficult to catch the people who have illegally accessed marketing databases. Clean email lists will be a lot more lucrative to an attacker who wishes to sell, because they contain details that identify the target which makes it easier to craft personal avenues of attack.
Playing The Long Game
The problem with losing your email address at any time is knowing when you are going to subjected to a spam or phishing attack. Customers of Roger, TiVo, US Bank, JPMorgan Chase, Capital One and Citi will all have been alerted that their details were stolen and will immediately look to secure their accounts and prepare for an incoming wave of highly-targeted email attacks.
But they won’t come – at least to start with.
Cluley believes that attackers would opt to wait before abusing said email addresses:
It’s worth bearing in mind that these email lists, now in the hands of the criminal underground, could be abused at anytime. Users may be on their guard right now about receiving a bogus email from a particular brand – but it could also arrive in 12 months time when the story of this security breach is long forgotten by the typical man in the street.
In fact, for this reason, it might make a lot of sense for the spammers to wait before abusing the information.
The fact of the matter is, most of the affected will not seek to change email addresses if they found out that it had been stolen, instead choosing to change passwords, amend security questions and be more selective over the emails they process.
As Cluley states, it won’t be long until the average user forgets about the breach. Many of the affected will not be terribly competent with computers, let alone be aware of how such an attack would put them at risk, making it very probable that the attackers would wait before deciding to abuse the email addresses they possess.
How Much Are Email Addresses Worth?
Because we don’t know what the motivations of the attackers are, it isn’t known what will actually happen to these email addresses. One option is that they could be used for phishing attacks directly, the other is that data could be sold on to others.
There are underground communities where databases of email addresses can be bought and sold, normally the same places that credit card numbers and passwords are traded. Email addresses will have far less value than a credit card number or a password, making it almost a relief that more sensitive information isn’t stolen in attacks such as these.
We asked Cluley how much he felt a database of email addresses could fetch if offered for sale on underground community, but with the lack of information on how many email addresses were lost in the Epsilon hacks, he said it would be very hard to estimate.
What Should Users Do To Protect Themselves?
It’s very easy to tell someone “do not open email that you don’t trust”, but many users will be oblivious to which emails are worthy of their trust.
One measure would be to change email addresses, sign up for a new account with a reputable host like Google, which is well known for its powerful spam filters and abilities to identify possible phishing attacks. In most cases, the email address stolen will also be an account that has been in use for a long period of time but also an address that friends and family will have an intimate knowledge of, making it difficult to completely drop for a new one.
If this is the case, they will need to be more vigilant about phishing attacks.
Whether the email address was stolen or not, it is advisable to always avoid email attachments from people that the recipient is not familiar with and never reply to emails that ask the user to verify a secure password, enter a credit card number or part with any form of sensitive information.
Major corporations will never ask you to enter such information but it there is a overriding feeling that the email is genuine, a user should always navigate to the company’s website directly, never following links within the email. Links within an email will almost certainly be specially-crafted phishing links that will mimic the look and feel of a corporate site to get users to part with their details.
The trouble with email address theft is that most of the time the user will not be at fault. With the Epsilon breach, users found their email addresses and full names compromised without their knowledge and would not have been aware of such happenings if Epsilon and the companies using the marketing firm hadn’t notified their customers.
Gaining access to large numbers of email addresses might not be as lucrative for attackers as a credit card number but when users are directly identifiable, the information the attackers have obtain from database breaches could possibly result in a lot more data being compromised if the attacker is successful with a targeted phishing scam.
Hackers have time to decide what they wish to do with email addresses, there is no set pattern to how attacks are directed. These highly technical individuals are trained to sniff out the smallest weakness in the most secure systems, meaning we can expect the Epsilon breach to be just one compromise in a long line of compromises, at least until the authorities can identify the people behind them and bring them to justice.