Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

  • The company itself sells the email address (pretty rare, at least for reputable companies)
  • An employee at the company takes the email addresses and sell them (rare, but it happens, especially as people leave the company and take email addresses they have access to with them – an Oracle sales rep did that for one of my email addresses, for example)
  • The company subcontracts some part of their business – such as sending email – to a subcontractor and somebody there takes the addresses. (Not that common, but it can happen when a somewhat reputable company hires a semi-reputable marketer who hires a disreputable marketer who hires a spammer)
  • The company leaves the list of email addresses somewhere public and someone stumbles across them (rare for reputable companies but sadly common for hobbyist websites and tiny companies whose main presence is online)
  • Someone breaks in to a company using an automated tool that attempts “simple” compromises at thousands of websites, and stumbles across data they can sell almost by accident (hard to say, but probably fairly common)
  • Someone targets a company and breaks into their computers specifically to steal addresses (probably quite rare, but a high profile incident when it does happen – as the current Epsilon coverage shows)
  • The email addresses are, for some reason, left on a Windows desktop or laptop, and that laptop is infected by a virus or compromised in some other way, then sends the list of addresses out to the internet, intentionally or otherwise (very common, especially in the case where you have a particular sales rep at a company, so their have your email address in their mail clients address book). Email addresses will leak from your friends infected machines in just the same way
  • … and lots of other ways

6. So why is this the first time I’m hearing about it?
I’m not really sure. The recent Epsilon leak was pretty big, and their customers have been fairly good about notifying people about it. That’s probably because there’s been a move in the past few years to thinking that people should be notified in such a case, and some law (at least in California) that requires it. Because of the size of the leak and the widespread notification, this particular incident has made it into social media, blogs, facebook, twitter and finally the mainstream media.
7. What bad things will happen to me?
Not many. Maybe none.
If you’ve not received any spam at all to your email address in the past then you might start receiving some now. You’d probably have started receiving spam sooner or later anyway, as email addresses leak all the time – from individuals and ISPs as well as vendors, marketers and ESPs.
If you’re already receiving spam, you might start getting a little more. Though likely not so much more that you’ll notice. The spammer ecosystem already has your email address, and they’re already sending you spam – if a few more spammers get your address from a new source you may get a little more.
It’s possible you’ll see some additional attempts to “phish” information such as passwords and account access from you. And those may be a little better targeted and better done as someone has a list of companies you’re expecting to receive email from. You should already be wary of phishing attempts, though, as you’re likely being targeted already – whether your data was stolen this time around or not.
If you’re suspicious about an email, or there’s a link in it that goes to a page where you’re going to have to enter a password or any other account information – don’t click on the link. Either go to a bookmarked page or type the link into your browsers address bar instead.
That’s about it.
8. OK, what good things will happen to me?
Not many. You’re hopefully a little more aware of phishing now than you were, and you’ve got a better idea of what companies do with your email address.
9. What should I do?

Keep Calm and Carry On.
The world is not going to end. Bad guys aren’t going to take control of your life.
You should pay attention to companies who’ve notified you that they’ve had information stolen, and be somewhat more wary of email that claims to be from them over the next few months. You might want to change the email address you have on file with those companies, and then be very wary of any email claiming to come from them that goes to the old email address.
But remember that just because a company hasn’t notified you, it doesn’t mean that they’ve not had your email address stolen anyway, either in this incident or another one, so be wary of any email that’s asking you for account information, or directing you to a webpage where you need to log in or provide account information. Brian Krebs has some good advice about avoiding email scams and phishing – none of which is new advice, it’s just good advice that’s being repeated in response to the media mentions of the Epsilon leak.
You might want to use more than one email address – use one to deal with just your bank, for example, so that you know anything claiming to be from your bank to any other email address is probably someone trying to scam you.
10. What shouldn’t I do?
Don’t stop using email, personally or with companies. While I said above that email addresses get leaked all the time (and they do) only a small fraction do. For every email address I’ve given a company that’s leaked there have been a hundred that haven’t. Just don’t be too trusting of people sending you mail, and trust your instincts about it.
And don’t pay too much attention to anyone who is using this particular incident to promote their own product or to push you into major changes in behavior. Security companies and bloggers love loud, scary headlines as they tend to lead to more linking and traffic in a way that more sober, accurate reporting doesn’t.
You were at risk for phishing and spam a year ago, and you’re still at risk today. Nothing much has changed. Keep being wary of email borne scams and phishing, but keep calm and carry on.
 
 
 

Related Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More

Real. Or. Phish?

After Epsilon lost a bunch of customer lists last week, I’ve been keeping an eye open to see if any of the vendors I work with had any of my email addresses stolen – not least because it’ll be interesting to see where this data ends up.
Yesterday I got mail from Marriott, telling me that “unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.”. Great! Lets start looking for spam to my Marriott tagged address, or for phishing targeted at Marriott customers.
I hit what looks like paydirt this morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email address.
It’s time to play Real. Or. Phish?
1. Branding and spelling is all good. It’s using decent stock photos, and what looks like a real Marriott logo.
All very easy to fake, but if it’s a phish it’s pretty well done. Then again, phishes often steal real content and just change out the links.
Conclusion? Real. Maybe.
2. The mail wasn’t sent from marriott.com, or any domain related to it. Instead, it came from “Marriott@marriott-email.com”.
This is classic phish behaviour – using a lookalike domain such as “paypal-billing.com” or “aolsecurity.com” so as to look as though you’re associated with a company, yet to be able to use a domain name you have full control of, so as to be able to host websites, receive email, sign with DKIM, all that sort of thing.
Conclusion? Phish.
3. SPF pass
Given that the mail was sent “from” marriott-email.com, and not from marriott.com, this is pretty meaningless. But it did pass an SPF check.
Conclusion? Neutral.
4. DKIM fail
Authentication-Results: m.wordtothewise.com; dkim=fail (verification failed; insecure key) header.i=@marriott-email.com;
As the mail was sent “from” marriott-email.com it should have been possible for the owner of that domain (presumably the phisher) to sign it with DKIM. That they didn’t isn’t a good sign at all.
Conclusion? Phish.
5. Badly obfuscated headers
From: =?iso-8859-1?B?TWFycmlvdHQgUmV3YXJkcw==?= <Marriott@marriott-email.com>
Subject: =?iso-8859-1?B?WW91ciBBY2NvdW50IJYgVXAgdG8gJDEwMCBjb3Vwb24=?=
Base 64 encoding of headers is an old spammer trick used to make them more difficult for naive spam filters to handle. That doesn’t work well with more modern spam filters, but spammers and phishers still tend to do it so as to make it harder for abuse desks to read the content of phishes forwarded to them with complaints. There’s no legitimate reason to encode plain ascii fields in this way. Spamassassin didn’t like the message because of this.
Conclusion? Phish.
6. Well-crafted multipart/alternative mail, with valid, well-encoded (quoted-printable) plain text and html parts
Just like the branding and spelling, this is very well done for a phish. But again, it’s commonly something that’s stolen from legitimate email and modified slightly.
Conclusion? Real, probably.
7. Typical content links in the email
Most of the content links in the email are to things like “http://marriott-email.com/16433acf1layfousiaey2oniaaaaaalfqkc4qmz76deyaaaaa”, which is consistent with the from address, at least. This isn’t the sort of URL a real company website tends to use, but it’s not that unusual for click tracking software to do something like this.
Conclusion? Neutral
8. Atypical content links in the email
We also have other links:

Read More

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

Read More