While the Epsilon data breach differs from other recent breaches in that there are no credit card numbers, social security numbers or corporate secrets, the threat of phishing attacks is all too real.
experts warned that users needed to be extremely vigilant and brush up on their
security awareness to ensure they don't fall victim to phishing emails expected
after a data breach at a major marketing firm compromised several email lists.
large email marketing services company with a roster of A-list clients,
disclosed April 1 that attackers had stolen customer data
several of its clients. While the extent of the breach is still under
investigation, the initial list of affected companies reads like a "Who's Who"
of some of the largest companies, including several financial organizations,
major hotel chains and big retailers.
warned that thieves might use the information to launch a phishing campaign to
trick users out of more sensitive personal data.
breach is "remarkable" because of the number of companies and customers it
affected, it is important to remember that it could have been "much worse," had
credit card numbers, social security numbers or other similar types of personal
information been compromised, Alex Eckelberry, general manager of the security
business unit of GFI Software, told eWEEK.
That said, the
breach should not be taken lightly, according to Eckelberry. "It's another
reminder that privacy is an illusion on the Internet," he said.
researchers felt that downplaying the incident may be more dangerous for consumers.
When attackers have a large list of names from each of these organizations, it
simplifies the targeted attack, Marcus Carey, a security community manager at Rapid7, told
eWEEK. Hackers now have more details on victims, and the fact that attackers
will now know who people expect to receive email from is a "big deal," Carey
said. Instead of sending out emails purporting to be from JPMorgan Chase to
everyone and hoping to trick a handful of customers, the scammers now have an
exact list of people who are already customers and won't immediately dismiss
the emails out of hand.
breach is a "treasure trove" for cyber-attackers interested in launching
spear-phishing attacks against individuals, Joris Evers, a McAfee spokesperson,
all agreed that the breach means users must be even more careful than usual
about opening or clicking links in emails. Customers should think about the
likelihood of an email being legitimate before taking action. For example, they
should consider whether the institution usually sends an email, or sends
messages with links to click on. If not, suddenly getting such a message is a
clear indicator that it is likely spam, Amol Sarwate, vulnerabilities research
lab manager at Qualys, told eWEEK. If customers usually get monthly statement
reminders, any "out-of-band" mail should be considered suspicious, Sarwate
"Due to the
nature of how email works, it is not possible for everyday users to distinguish
between email sent by their institution or by hackers," Sarwate said. Even if a
message contains official logos or the color scheme and page layout looks
legitimate, customers should refrain from clicking, he said.
"After all, it
just takes one click for a compromise," said Sarwate.
specter of phishing is serious enough without complicating the worst-case
scenario, according to some experts.
are taking the implications of the Epsilon breach "too far" by claiming a
targeted email message can be carrying a virus that exposes the user to data
theft just by opening the message, Abrams said. While theoretically it could
happen, Abrams said he was unaware of any current zero-day vulnerabilities that
would enable this attack.
education are critical to make sure people are more security-savvy.
Organizations should be training their employees using recent breaches,
especially spear-phish attacks, as "they are real-world examples," Carey said.
This will help companies to minimize the damage when an attack does happen, and
running practice scenarios will train employees on how to react when faced with
a real attack, he said.