Silverpop attackers are finally beginning to monetize the customer data they stole last fall from the email marketing company. The spam campaign using email addresses stolen from Silverpop's database appears to be pushing the fake Adobe Reader update scam.
The first sign came March 27 when Play.com customers reported receiving spam with links pointing to a Website that claimed to have the latest update for Adobe Reader. Clicking on "Download Now" redirected them to a site asking for personal details and credit card information.
According to Cloudmark's Jamie Tomasello, spammers are continuing to wrap up their scams with a veneer of helpfulness, reminding users that they need to be running the most up-to-date versions of Adobe software to be safe. These email messages usually have subject lines such as, "Action required : Upgrade New Adobe Acrobat Reader For Your PC."
Email marketing firm Silverpop was one of the victims of an "industrywide cyber-attack," last fall, Stacy Kirk, a spokesperson from Silverpop, told eWEEK. The company had quickly stopped the attack and disclosed the breach in December. A number of clients, including McDonald's and American Honda, had their customer data stolen.
According to Cloudmark analysis, the current batch of scam spam is coming from Silverpop. It appears spammers are monetizing the stolen email addresses, about six months after the theft. This is particularly significant considering that Epsilon, one of the largest email marketing providers, announced its data breach on April 1. Epsilon is still investigating, but the list of affected clients includes major brands, including JPMorgan Chase, Citi, L.L. Bean, Disney Destinations and Marriott Rewards.
Affected consumers took to Twitter to compare notes on how many breach-notification notices they had received, signaling the magnitude of the breach.
If we take Silverpop as an example, we can probably expect to see the phishing and spam emails landing in our in-boxes from this theft in the fall.
The spam email messages seem legitimate since the URLs in the body of the message and the initial landing page contain the word "adobe" in the domain, Tomasello said. However, the redirect page is actually hosted on secureonlineweb.su. The campaign appears to be similar to the one MX Lab highlighted last September. Adobe even recently re-posted on Twitter the same November advisory about the scam to remind users.
Adobe announced several zero-day vulnerabilities in Adobe Flash Player, Reader and Acrobat on March 14, and patched them on March 21. An Excel spreadsheet with malicious Flash embedded inside has already been making the rounds, but there had been no other exploits taking advantage of the vulnerabilities, according to Adobe. Reader X neutralizes the attack, thanks to its sandboxing technology.
(It turns out that Excel spreadsheet exploit was RSA's downfall, as well.)
Need to get the latest Adobe Acrobat or Reader? Don't click on that link in the email helpfully reminding you to do so right away, or if you do, don't hand over your credit card numbers. Get the Adobe Reader for free from Adobe's official site.