by Dave Michmerhuizen & Luis Chapetti – security researchers
Sometime on April 1, email marketing firm Epsilon revealed that it had been hacked and that some of its customer lists had been stolen in what some news outlets are calling the biggest data breach ever.
Specifically what was stolen were names and email addresses, along with the implicit linking of that data with a particular client of Epsilon such as Best Buy, Target or Kroger Inc. A partial list of affected clients is available at SecurityWeek and includes three of America's largest banks – J. P. Morgan Chase, Citibank and U.S. Bank.
Security researchers at Barracuda Labs believe that these lists will prove to be valuable in the underground marketplace for email address lists. They directly link verified email addresses and customer names with companies that do business online. Phishers will find this additional data very useful.
Phishing emails are a type of spam that pose as emails from legitimate institutions, such as your bank or phone company, and attempt to trick you into divulging your username, password and other account information. The phishers then use this to take over your online account and steal from it or use it to commit other crimes.
Under normal circumstances phishers send generally worded emails to purchased lists of email addresses. Since they don't have the names that go with the email address the best they can address the phish is to “Dear Customer” or “Attention”. These purchased email address lists contain addresses indiscriminately harvested from the internet and the chances that any given addressee will even be associated with the company that is being fished is low. To make up for this phishers send huge numbers of emails using many lists and ultimately attract the attention of authorities who block their spam and take action against their activities.
Contrast this to the quality of the email lists stolen from Epsilon. Phishers using one of these lists have a name to associate to the email address, allowing them to craft much more convincing emails. They know that every email address on the list is likely to work, and that each one is associated with the company whose account information they are trying to phish. Fewer emails need to be sent which attracts less attention to the servers and Web sites used by the phishers, and even with fewer emails the hit rates from these lists are likely to be much much higher than they are from the typical slapdash phishing campaign.
The bottom line here is that people whose email addresses are on those stolen lists will be getting many more phishing emails that appear to be from companies they do business with already. These phishing emails will be even more personal and convincing. The best advice we can give is to exercise good email security. Never open attachments you aren't explicitly expecting. When an email from a company you do recognize and do business with contains a link, rather than click on that link we recommend that users should independently visit the site by entering the URL directly into a Web browser.