Epsilon Breach a Treasure Trove for Phishing Attacks

While the Epsilon data breach differs from other recent breaches in that there are no credit card numbers, social security numbers or corporate secrets, the threat of phishing attacks is all too real.

Security experts warned that users needed to be extremely vigilant and brush up on their security awareness to ensure they don't fall victim to phishing emails expected after a data breach at a major marketing firm compromised several email lists.

Epsilon, a large email marketing services company with a roster of A-list clients, disclosed April 1 that attackers had stolen customer data belonging to several of its clients. While the extent of the breach is still under investigation, the initial list of affected companies reads like a "Who's Who" of some of the largest companies, including several financial organizations, major hotel chains and big retailers.

The company warned that thieves might use the information to launch a phishing campaign to trick users out of more sensitive personal data.

While the breach is "remarkable" because of the number of companies and customers it affected, it is important to remember that it could have been "much worse," had credit card numbers, social security numbers or other similar types of personal information been compromised, Alex Eckelberry, general manager of the security business unit of GFI Software, told eWEEK.

That said, the breach should not be taken lightly, according to Eckelberry. "It's another reminder that privacy is an illusion on the Internet," he said.

Some security researchers felt that downplaying the incident may be more dangerous for consumers. When attackers have a large list of names from each of these organizations, it simplifies the targeted attack, Marcus Carey, a security community manager at Rapid7, told eWEEK. Hackers now have more details on victims, and the fact that attackers will now know who people expect to receive email from is a "big deal," Carey said. Instead of sending out emails purporting to be from JPMorgan Chase to everyone and hoping to trick a handful of customers, the scammers now have an exact list of people who are already customers and won't immediately dismiss the emails out of hand.

The Epsilon breach is a "treasure trove" for cyber-attackers interested in launching spear-phishing attacks against individuals, Joris Evers, a McAfee spokesperson, told eWEEK.

Security experts all agreed that the breach means users must be even more careful than usual about opening or clicking links in emails. Customers should think about the likelihood of an email being legitimate before taking action. For example, they should consider whether the institution usually sends an email, or sends messages with links to click on. If not, suddenly getting such a message is a clear indicator that it is likely spam, Amol Sarwate, vulnerabilities research lab manager at Qualys, told eWEEK. If customers usually get monthly statement reminders, any "out-of-band" mail should be considered suspicious, Sarwate said.

"Due to the nature of how email works, it is not possible for everyday users to distinguish between email sent by their institution or by hackers," Sarwate said. Even if a message contains official logos or the color scheme and page layout looks legitimate, customers should refrain from clicking, he said.

"After all, it just takes one click for a compromise," said Sarwate.

However, the specter of phishing is serious enough without complicating the worst-case scenario, according to some experts.

"Some people" are taking the implications of the Epsilon breach "too far" by claiming a targeted email message can be carrying a virus that exposes the user to data theft just by opening the message, Abrams said. While theoretically it could happen, Abrams said he was unaware of any current zero-day vulnerabilities that would enable this attack.

Training and education are critical to make sure people are more security-savvy. Organizations should be training their employees using recent breaches, especially spear-phish attacks, as "they are real-world examples," Carey said. This will help companies to minimize the damage when an attack does happen, and running practice scenarios will train employees on how to react when faced with a real attack, he said.