Forgot your password?
typodupeerror
Crime Security Your Rights Online

How Attackers Will Use Epsilon Data Against You 78

Posted by CmdrTaco
from the this-is-social-networking dept.
Trailrunner7 writes "What might the criminals who broke into Epsilon do with the email lists they have? The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from data-breaches.net, totals are up to 57 customers including credit card providers with branded cards — Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts. Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."
This discussion has been archived. No new comments can be posted.

How Attackers Will Use Epsilon Data Against You

Comments Filter:
  • by syntap (242090) on Tuesday April 12, 2011 @01:08PM (#35795922)

    Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards)

    I have not yet seen notes that VISA itself was hit. Banks that use VISA's services may have been, but the article is lumping the network/transaction processor with the banks. It is possible to be a customer of VISA for other purposes, which surprises me that the article is claiming they were independently hit, that is news here.

    • by blair1q (305137) on Tuesday April 12, 2011 @01:45PM (#35796488) Journal

      They weren't hit. They were clients of the mass-mailing service that got hit. If you were on Epsilon's list under Visa, Epsilon notified Visa that you were exposed. Visa then should have notified you.

      I got 4 separate notifications, but I suspect that's not all.

      I've tried to get Epsilon to give me a full list of what companies using their service have my email address, but, in phenomenal wanker fashion, they refused, citing "privacy" and "security".

    • by AmiMoJo (196126)

      I just got my notifications but for some reason gMail classified them as spam:

      Dear amimojo,

      We have detected a Data Breech on our main server and your card details may have been stolen. Please log in to the VISA web site to confirm your card details by clicking the link below so we can confirm you are NOT a victim:

      http://21343.ru/HTTP://VISA.COM/checkings.php [21343.ru] (VISA OFFICIAL WEB SITE (RECOMMENDED))

      I also got this one from a kind and helpful Visa employee:

      Dear Kind and most Blessed Sir,

      My name is James Mudac and I am writing to you from the offices of Visa Nigeria. We have recently learned of a serious loss of your personal datas and I am writing to you in the sincear hope that I can help you recover your datas on this day. Please would you forward me a copy of your passport and birth certificate and the numbers on your credit card so that I am check them for you.

      Please accepting my most humble appologies for this terrible crime that has happened to you. We will be depositing monies to the value of $25,000,000 (TWENTy FIVE MILLION DOLLARS) into your account to reimburse you for your losses and unfortunately consequences.

      I hope you will be writing to me soon so that I may help you in this difficult time in my country.

  • Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.
    • by Sleuth (19262) *

      Err, and how would my credit card company get my email password? This article is rather silly...

    • by gstoddart (321705) on Tuesday April 12, 2011 @01:23PM (#35796140) Homepage

      Who said anything about passwords being compromised?

      Not as part of this breach, but as a possible consequence.

      Bad guys get your email, name, and a couple of other things. Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service. Bad guys then could potentially rely on the fact that people reuse passwords, and get into several other sites.

      Depending on the uniqueness of your first/last name combination ... there might actually be enough information in there to actually identify you in the real world.

      You know, the things that TFA are actually saying.

      • by Relayman (1068986)
        Agreed. But any of this can happen any time someone sees my email address. Every time my friends' computers gets hacked, the hacker downloads his/her address book and gets my email address. The Epsilon disclosure doesn't make me any more vulnerable than before. There is no story!
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          The Epsilon disclosure doesn't make me any more vulnerable than before.

          Of course it does. They have your email and know with which company you have an account using this email, maybe even specific services you've subscribed to. They can forge a credible-sounding email pretending to be said company or working for them or whatever. The more info you have the more credible a forgery is, the more people will fall for it. The majority of internet users couldn't tell a decent forgery from the real deal.

          • This is exactly where the risk comes from. I've now been receiving faked emails from a stock company of mine which was compromised. On my phone the email looks entirely credible and I'm not able to check where the link in the email is actually taking me. Once I checked it out on a computer I noticed the link was going to a fake domain rather than to the institution. I'm a web developer and consider myself pretty computer savvy. I also knew about the information being taken and am extremely wary of followin
      • Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid -- not just a possible consequence of my e-mail addy being compromised.

        I'm not going to give you my credentials just because you ask for them in an e-mail. In fact, the first thing I do when I get an e-mail that looks at all suspicious (and asking me for any personally identifiable information in an e-mail is a sure-fire way to trigger my alarms) is blow open the headers and see where the e-mail came from. The
        • by John Hasler (414242) on Tuesday April 12, 2011 @02:02PM (#35796696) Homepage

          Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid...

          Thus the majority of users are at risk.

          • Re: (Score:3, Informative)

            by zuckerj (993079)
            Unfortunately MANY major companies practice procedures that put their customers at risk by sending emails with links. Any official communication from a credible institution should not include ANY links, or phone numbers. They should simply say, please visit our website, or call us via the phone umber printed on your bill or the back of your card. I complain to companies time and again that they are indeed part of the security threat problem and putting their customers at risk. I recently got an email fr
            • Agreed.

              Unfortunately, it's not the call center drone who is going to enact a policy change. That person may very well understand and agree with what you are saying -- and may even complain to his/her boss that this is a stupid practice -- but the odds of it trickling up to the decision maker who has the power to enact a change is virtually nil, because even if the call center drone gets it, chances are the call center manager *won't* and even if that manager does, there's about a hundred thousand layers
            • > ...the companies we trust...

              Speak for youself.

            • by cffrost (885375)

              Banks do not give a fuck about you. Join a credit union if you want to be treated like a person, instead of an object from which to extract profits.

      • by timeOday (582209)
        We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.
        • by slick7 (1703596)

          We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.

          My password is not compromised since I do have an online bank account, and I never will. Secondly, my debit card is on another bank account at another bank. Thirdly, I only write checks to myself thereby eliminating any processing delays. Rarely do I write checks to third parties, but sometimes I do. Yes it's a pain in the ass, yet, my assets are secure from most entities other than the bank and government. Fourthly, I do not discuss my steganographic practices, period!

      • Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service

        I don't give my passwords to anybody, ever. If Jesus Christ came down and asked for my passwords, he wouldn't get them, not even if he walked on water.

      • by steveg (55825)

        There is a lot of the time that having a very common name can be a pain in the butt. This is one time I'm glad of it.

        My email address gives away my first initial and last name. If someone tries to look me up by that they'll find hundreds with that combo in my town. If they manage to figure out my first name that'll drop it to dozens.

    • by rsborg (111459)

      Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.

      A username+password is two pieces of a credential set. With many of these services, one of them is now given up (ie, your email). This is just making it easier for criminals to target you (akin to similar attack reducing the key search space in cryptography).

    • by tlhIngan (30335)

      Problem is, most sites use the "something you know" method of authenticating emails from them to you. E.g., if you get an e-mail from Paypal, Paypal will use your name (as entered in the account) in the email. So if you get one that says "Dear Sir" or somesuch other than "Dear $First $Last", you know it's not a legit email. After all, a phisher won't have your name and email address togethered.

      You'll find most sites do that - it's a simple way to verify email authenticity. Now that names-emails mappings hav

  • At least that's what it seems like as my emails about the leak came with a bunch of Automotive Insurance emails despite the fact I no longer own a car.
  • There doesn't really seem to be much here, as the article even notes that there hasn't been much attention to the breach since it was "just" email addresses. The far-fetched plots the article's author throws up all assume a successful phishing attack or social engineering.

    While I can certainly see that some people may be taken advantage of via phishing scams, I just don't see this leading to a great rise in security threats to users. Anyone who *isn't* vigilant in filtering their email, not responding to

    • by gstoddart (321705)

      While I can certainly see that some people may be taken advantage of via phishing scams, I just don't see this leading to a great rise in security threats to users. Anyone who *isn't* vigilant in filtering their email, not responding to strange/unknown email requests for information, etc. is likely ALREADY a target!

      Well, as someone who is very vigilant and distrusting of emails in general ... and as someone who has received at least one email indicating that my data may have been compromised, I'm still a li

      • True--although given my own high level of paranoia (yay for those of us who don't automatically allow flash, cookies, scripting, etc. automatically), I'm not as nervous about this breach as I am about those where username/password details are given out.

        It just seems like they could have summed this up with a "Be more vigilant in regards to ANY emails that ask for information/send you to an external website you may not know."

      • Exactly how much time do you think the bad guys are going to spend on you? To take the time to craft an ultra-convincing phishing attack, along with the subsequent necessary complex plotting to dissuade your fears, and get you to click seems like an inefficient, and ineffective expenditure of time to me. Maybe it's just me, but the ROI would have to be incredible to justify that kind of attention to detail.

        I believe that the majority of these email addresses are going to be passed off as quickly as possi

      • They can send me emails from a third party. They can direct me to third-party websites. They can't make me turn off NoScript on them, and they can't make me type in credentials.

        The security-conscious computer-savvy geek is pretty safe here. It's only the other 99.9% of the population that is at risk.

  • Preposterous claims and counter claims all in my name! It's all over for me, now! My credibility is ruins!

    Curse you Epsilon Data Thiefs! >:(

  • All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.

    http://blog.wordtothewise.com/2011/04/epsilon-keep-calm-and-carry-on/ [wordtothewise.com]

    • by bberens (965711)
      Just a slight correction, it's names, e-mail addresses, AND a business relationship. Now, for example, the hacker might know that my e-mail address is associated with company XYZ and can send me a more targeted phishing attack by pretending to be a representative of XYZ. They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.
      • by poetmatt (793785)

        all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.

        That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.

        I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).

        • all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.

          That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.

          One of my clients received a personalized TD Ameritrade email scam today. It was a very professional job, including a lot of content from the TD Ameritrade site. The only thing that was out of place were the actual href targets (they weren't TD Ameritrade). I'm filtering client email for companies exposed in the Epsilon breach.

          I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).

          The Epsilon breach is still very young. When the lists get sold a few hundred (or thousand) times you'll see a lot more from it.

      • by vlm (69642)

        They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.

        I've gotten thousands of targeted spam over the years, mostly from companies I do not do business with. I think I've gotten about 10 Citibank phishing emails over the years, at least. I don't have an account there, but... Same thing with bank of america, etc.

    • All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.

      But what they do have now is fisrt & last names along with those email addresses and knowledge that a large group of individuals have accounts at a specific business. They can now target a very specific group with personalized attacks.

      Mr. John Smith,
      As you are aware StupidBank had some recent security issues. Please login to verify that your username and password have been updated to prevent someone from targeting you for online scams and phishing schemes.

      Yours Truly, StupidBank

    • Even still, I've gotten a lot more spam (not even phishing, just regular craptastic spam) on my e-mail accounts that were affected by this breach.

  • by Lehk228 (705449) on Tuesday April 12, 2011 @01:16PM (#35796060) Journal
    the scenario in TFA could happen, but it's mostly masturbatory super hacker fantasy

    these email and name lists will be used for spamming and unsophisticated phishing, "IMPORTANT MESSAGE FROM $COMPANY, you account will be terminated unless you log in here [www.example.ru]"

    TFA layed out a scenario where targetted espionage is carried out against targets that are somehow more convenient because you got their email address.
    • by Sleuth (19262) *

      but it's mostly masturbatory super hacker fantasy
       

      That's a fun quote, thank you!

    • Exactly. A few of my accounts got hacked and I got a warning e-mail. One example of this new spam: the last few days I've been getting FaceBook Spam -

      Hi, $random_name_here has left you a private message on facebook * A HREF="$hacker_url"* Click here * /A* to log in.

      The funny thing - I don't even use Facebook. Shows you what those stupid hackers know!

      • There's ads that tell me my registry has problems. Not only don't they tell me how they can tell through NoScript, but they don't tell me whether it's under /usr, /var, or /etc.

  • The author makes the flawed assumption that sending someone an e-mail == being able to install a keylogger on their machine. In reality in order to get a keylogger on the machine it requires the recipient being gullible enough to download an attachment being sent to them by a complete stranger (unlikely, but not out of the question). Or alternatively it requires that the hacker crafts some attack that exploits a vulnerability in the e-mail reader of the recipient's choice which now days can be any number of
    • The suggestion that simply having an e-mail address of somebody will allow an attacker to install a keylogger on the targets machine is idiotic at best.

      Right. The malware already in control of the average user's machine will defend its territory.

  • OK, this is totally OT, but I don't know where else to post it. I posted this several months ago and a lot of people reported the same issue, and nothing has changed.

    I get no score in any subject starting at (as far as I can tell) a level 3 post or greater. In addition, everything in any such posts has double line breaks between every post.

    It sucks, plain and simple. I'm running Firefox 3.6.16 under Gentoo. So what's up?...is Firefox broken or slashdot???

    Tom

    • by blair1q (305137) on Tuesday April 12, 2011 @01:54PM (#35796598) Journal

      The score display/hiding seems to be totally random.

      Worse is the article expand/collapse misfeature. When I go to do a reply, every time I click in the text box it thinks I want to expand the thread further. Basically I have to expand every article in the thread (and many run to 20 levels) just to start entering my reply.

      Total #fail on someone's scripty little part.

      And in the article-submission dialog, the edit box is about 20% wider than the box, so the right half of every line is hidden. Only way to deal with that is to compose in an editor and paste it into the box. Plus the tag entry is bollocks. It enters the tag if you hit the spacebar, orders the tags randomly, and trying to delete one only succeeds in giving you the negation of the tag, not the deletion of it. The only way to deal with that is to close the submission form, clear your history and cookies (stuff in that form is ultra-sticky) and start over.

      But at least I can use the word "replace" in a posting now, without some eval code bunging that up.

      • by JewGold (924683)
        The worst part is I can no longer middle-click links in some posts in Firefox. Instead of opening the link in a new tab like it should, something in the broken javascript makes it open the parent, and move me around in the page so I first have to scroll around to find the post I was reading, right click the link, copy the URL, open a new tab and paste in. Major hassle. Same thing happens if I highlight a phrase to search.
    • You're not alone in your despair. Categorizing the new discussion system as a clusterfuck doesn't begin to describe how badly broken it is. The slashdot "editors" must never read any of the stories, because, as you point out, it's been *months*, and yet nothing much seems to have changed.

      Of course, the whole hierarchy viewing mechanism is also totally fubarred, so you'll probably never even be able to view this response.

      I see it as a positive. I'm now wasting much less time on slashdot.

  • Dear Respected Sir,

    I read with much interest your user manual about exploiting the email list. However I do not see a script or code that I can download and use with your user manual. Please provide the same sir.

    Sincerely,

    Scrip T K Iddie

    All your email addresses are belong to us.

  • Here is what I got on my New York & Company email address (I had not received anything else - except the breach warning - on this address for years after an order with them in 2007):
    (I assume that the german unicode characters will be missing from my post but you will get the picture...)

    From: "Mr.Frank Morgan"
    Reply-To: frank77morgan3@yahoo.com

    Subject: BITTE ANTWORTEN

    Guten Tag,

    Ich bin Frank Morgan, die ich in der Buchhaltung eines Finance Haus hier in Europa zu arbeiten. Ich sah Ihr Kontakt während

  • Yes, it's too simple to actually work, but after data breaches like this, Epsilon should be required to publish all the data that was compromised. It devalues the data held by the malicious entity (a deterrent against future attacks), and allows security personnel to more accurately gauge the risk and present additional strategies for mitigation. Any action that reduces the value of these databases is a step in the right direction.
  • by Anonymous Coward

    Read the title as "How Attackers Will Use Epsilon DELTA Against You" and thinking wtf?

    • No, I read it correctly as "Epsilon Data". Which of course is a negligible amount of data (epsilon is arbitrary small), so the question how attackers might use that little data against me surely is interesting. :-)

  • With so simple it's stupid services like LastPass [lastpass.com], I really don't understand how people still can't use unique passwords. For christ's sake, using LastPass is EASIER than using 1 common password, because it auto logs in. I really don't get people. Then again, with so simple it's obvious backup services like Carbonite [carbonite.com], you'd think everyone would be backing up, too. Fat chance there.
    • by olden (772043)

      Maybe "people" gave it a thought and concluded that trusting a company with all their passwords and/or data wasn't such a great idea either...

  • It happened to me last weekend. A woman posing as "Linda Wilson" called AT&T to cancel our phone service. She had enough info to get the rep to believe she could cancel the account. She hung up in the middle of the call when asked to verify the address on the account and the rep tried calling all the numbers on the account to reach her. (The rep didn't ask for any info so he wasn't phishing me. A call to 611 confirmed what he said.)

    I don't know if it's Epsilon or the fact that we applied for a couple of

  • I was shocked to learn that they'd scooped Chase Bank's email list. Not because of the theft, but I thought, why would Chase need to hire an outside firm to send out emails? Don't they have their own servers? Marketing types??

Real programmers don't write in BASIC. Actually, no programmers write in BASIC after reaching puberty.

Working...