Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

  • The company itself sells the email address (pretty rare, at least for reputable companies)
  • An employee at the company takes the email addresses and sell them (rare, but it happens, especially as people leave the company and take email addresses they have access to with them – an Oracle sales rep did that for one of my email addresses, for example)
  • The company subcontracts some part of their business – such as sending email – to a subcontractor and somebody there takes the addresses. (Not that common, but it can happen when a somewhat reputable company hires a semi-reputable marketer who hires a disreputable marketer who hires a spammer)
  • The company leaves the list of email addresses somewhere public and someone stumbles across them (rare for reputable companies but sadly common for hobbyist websites and tiny companies whose main presence is online)
  • Someone breaks in to a company using an automated tool that attempts “simple” compromises at thousands of websites, and stumbles across data they can sell almost by accident (hard to say, but probably fairly common)
  • Someone targets a company and breaks into their computers specifically to steal addresses (probably quite rare, but a high profile incident when it does happen – as the current Epsilon coverage shows)
  • The email addresses are, for some reason, left on a Windows desktop or laptop, and that laptop is infected by a virus or compromised in some other way, then sends the list of addresses out to the internet, intentionally or otherwise (very common, especially in the case where you have a particular sales rep at a company, so their have your email address in their mail clients address book). Email addresses will leak from your friends infected machines in just the same way
  • … and lots of other ways

6. So why is this the first time I’m hearing about it?
I’m not really sure. The recent Epsilon leak was pretty big, and their customers have been fairly good about notifying people about it. That’s probably because there’s been a move in the past few years to thinking that people should be notified in such a case, and some law (at least in California) that requires it. Because of the size of the leak and the widespread notification, this particular incident has made it into social media, blogs, facebook, twitter and finally the mainstream media.
7. What bad things will happen to me?
Not many. Maybe none.
If you’ve not received any spam at all to your email address in the past then you might start receiving some now. You’d probably have started receiving spam sooner or later anyway, as email addresses leak all the time – from individuals and ISPs as well as vendors, marketers and ESPs.
If you’re already receiving spam, you might start getting a little more. Though likely not so much more that you’ll notice. The spammer ecosystem already has your email address, and they’re already sending you spam – if a few more spammers get your address from a new source you may get a little more.
It’s possible you’ll see some additional attempts to “phish” information such as passwords and account access from you. And those may be a little better targeted and better done as someone has a list of companies you’re expecting to receive email from. You should already be wary of phishing attempts, though, as you’re likely being targeted already – whether your data was stolen this time around or not.
If you’re suspicious about an email, or there’s a link in it that goes to a page where you’re going to have to enter a password or any other account information – don’t click on the link. Either go to a bookmarked page or type the link into your browsers address bar instead.
That’s about it.
8. OK, what good things will happen to me?
Not many. You’re hopefully a little more aware of phishing now than you were, and you’ve got a better idea of what companies do with your email address.
9. What should I do?

Keep Calm and Carry On.
The world is not going to end. Bad guys aren’t going to take control of your life.
You should pay attention to companies who’ve notified you that they’ve had information stolen, and be somewhat more wary of email that claims to be from them over the next few months. You might want to change the email address you have on file with those companies, and then be very wary of any email claiming to come from them that goes to the old email address.
But remember that just because a company hasn’t notified you, it doesn’t mean that they’ve not had your email address stolen anyway, either in this incident or another one, so be wary of any email that’s asking you for account information, or directing you to a webpage where you need to log in or provide account information. Brian Krebs has some good advice about avoiding email scams and phishing – none of which is new advice, it’s just good advice that’s being repeated in response to the media mentions of the Epsilon leak.
You might want to use more than one email address – use one to deal with just your bank, for example, so that you know anything claiming to be from your bank to any other email address is probably someone trying to scam you.
10. What shouldn’t I do?
Don’t stop using email, personally or with companies. While I said above that email addresses get leaked all the time (and they do) only a small fraction do. For every email address I’ve given a company that’s leaked there have been a hundred that haven’t. Just don’t be too trusting of people sending you mail, and trust your instincts about it.
And don’t pay too much attention to anyone who is using this particular incident to promote their own product or to push you into major changes in behavior. Security companies and bloggers love loud, scary headlines as they tend to lead to more linking and traffic in a way that more sober, accurate reporting doesn’t.
You were at risk for phishing and spam a year ago, and you’re still at risk today. Nothing much has changed. Keep being wary of email borne scams and phishing, but keep calm and carry on.
 
 
 

Related Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More

Time for a real security response

I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists.  These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.

Read More

Email attacks

Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:

Read More