A massive data breach at a third-party company that handles customer email messaging for 150 major banks, retailers and other firms could lead to unwanted spam and phishing attacks, according to security experts.
It now will be easy to spoof a legitimate website because many people are already used to receiving email messages from these companies using third-party domains
Irving, Texas-based Epsilon Data Management LLC handles customer email for a number of big-name banks and retailers including Best Buy, JPMorgan Chase, CitiGroup, LL Bean, Walgreens and the Home Shopping Network. The company announced last Friday that a breach may have exposed the names and email addresses of thousands of people. The company said investigators are looking into the breach.
"On March 30, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," the company said in an announcement on its website. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk."
Other companies, including retailer Target Corp., Hilton Hotels and Marriott International disclosed the breach to customers on Monday. Epsilon said the breach had hit about 50 companies. Epsilon sends out about 40 billion email ads and offers a year to people who register for a company's website by giving their name and email address.
At a minimum, users affected by the Epsilon email breach may experience a surge in spam to their email account, wrote Paul Ducklin, head of technology at security vendor Sophos. Email breaches are fairly common, Ducklin wrote in the company's blog. Online travel review and advice company TripAdvisor and entertainment retailer Play.com each experienced separate email breaches via third-party partners.
"Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely," Ducklin said. "That, in turn, can make their fraudulent correspondence seem more believable."
Making email more believable can be a boon to cybercriminals who use automated tools to conduct phishing attacks, said HD Moore, creator of the Metasploit attack platform and chief security officer of Rapid7. It also creates a new threat to enterprises, Moore said, because a savvy attacker can couple privately used or less public email addresses to executives at a specific business and create a successful social engineering attack to ultimately gain access to company data.
"It now will be easy to spoof a legitimate website because many people are already used to receiving email messages from these companies using third-party domains," Moore said.
Moore said there are a number of tools available that can help cybercriminals couple email addresses with information on social networking sites, such as Facebook and LinkedIn, to create more convincing email messages.
Maltego, an open source intelligence and forensics tool, can do complex data mining to gather information on people and pair it with email address and other information. A tool called Creepy gathers geolocation data about users from social networking platforms and image hosting services. Another tool, called Yeti, is used to help pen testers conduct reconnaissance prior to conducting penetration testing. But the tool can also map out IP addresses and other publicly available information it finds by scouring the Internet.