Spear Phishing on the Rise Following the Epsilon Breach

by Christopher on May 3, 2011

On March 30, 2011, the databases of the marketing firm Epsilon were successfully hacked by cybercriminals. The company handles email campaigns for many of the world’s largest corporations. In the breach, hackers got their hands on the full names and email addresses of basically the entire roster of customers and clients of more than 100 companies.

While Epsilon claims this is the extent of information compromised, some of its clients are cautioning customers that more information may have been obtained in the breach. For example, pharmaceutical manufacturer GlaxoSmithKline informed their customers that the hackers likely obtained purchasing records associated with their accounts.

It was only one week after the Epsilon breach that the Better Business Bureau reported the first spear phishing attempt using this stolen information.

The personal information obtained in the Epsilon breach is just the sort spammers and scammers rely on for targeted phishing ploys. By using the recipient’s full name and mimicking communication from a company with whom the recipient does in fact do business, cybercriminals add an air of legitimacy to their spam messages. These spear phishing ploys often attempt to bring the recipient to a dummy website to enter sensitive information, such as passwords or credit card numbers. Often the emails state that an account or profile must be updated to be preserved.

Extra caution is now required when dealing with email from companies you do business with. If your personal information may have been compromised in the Epsilon breach, the affected company should have notified you. If necessary, check with your bank, credit card company, phone service provider, and other companies with whom you have an online account to see if they were affected by the breach.

Never click on links in the body of an email, but always go to a company’s website by entering its address in the URL bar on your browser. If you would like to visit Epsilon’s website for more information, go directly to epsilon.com, the firm’s only website. Fraudulent Epsilon sites have already been discovered.

If you receive a spear phishing email, forward it to the U.S. Department of Homeland Security’s Computer Readiness Emergency Team at [email protected] Also, many company websites list an email address for forwarding phishing messages that illicitly use their name.

For added online safety, set up “plus addresses” when registering with a company website. Most email providers allow you to create additional email addresses tied directly to your main address. So, if your email address is [email protected], and you’re creating an online account with company XYZ, most email providers will let you register with something like [email protected]

Email sent to you from XYZ goes to a designated folder in your primary email account. If you receive any email messages from the company that don’t go to this folder, you know they’re fake. If you get messages other than those you specifically requested from the company, you can be reasonably sure the company has been compromised or it isn’t respecting your preferences or privacy.

Posted in: Phishing

Previous post:

Next post: