"Massive" Epsilon Interactive Commercial Email Breach

Jim Wynne

Leader
Admin
On Friday I got the following message from my bank:
As a valued [redacted] Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that [redacted] Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Just now I received another message, this one from an online bookseller:
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.

This sent me off to the Google, where I found this article on the PC World website: Massive Epsilon E-Mail Breach Hits Citi, Chase, Many More.

It appears at this point that only email addresses and names are involved, and no other personal information. Nonetheless, this will doubtlessly result in lot of spam and especially phishing attempts, given that a lot of financial institutions are involved.
 
A

adickerson

I revived a letter from Chase Bank this morning talking a little about the leak.

So far the list of companies affected by this 3rd party failure include:
JPMorgan Chase & Co
Walgreen
TiVo Inc
Capital One Financial Corp
HSN
AbeBooks
College Board
Kroger
Verizon Communications Inc
Blackstone Group LP's Hilton Hotels
Kraft Foods Inc
AstraZeneca
Added:
Citi
Ameriprise Financial
LL Bean Visa Card
McKinsey & Company
Ritz-Carlton Rewards
Marriott Rewards
New York & Company
Brookstone
Disney Destinations
Best Buy


If you use any of these companies you may want to be a little extra careful over the next few weeks as the investigation is still pending.
 
Last edited by a moderator:

howste

Thaumaturge
Trusted Information Resource
You can add the Hilton HHonors frequent guest program to the list too.

*edit* Oops, I see that Adickerson's list already includes them as part of the Blackstone Group... :eek:
 

Wes Bucey

Prophet of Profit
On a similar note, I have noticed a massive increase in spam emails (not phishing for personal data) over the last ten days. Until March 15, it was rare for one of my email accounts (gmail) to get more than one or two spam mails a week. Since March 25, I have been averaging more than 30 every 24 hours. It is obviously a single source controlling an army of zombies or drones (folks who have their machines infected by some sort of control bot) because there will sometimes be five or six identical emails, but with widely dispersed individual accounts as the senders.

I just delete them all, but there must be enough folks who "bite" to justify the time and trouble of creating such zombie networks.
 
A

adickerson

I just delete them all, but there must be enough folks who "bite" to justify the time and trouble of creating such zombie networks.

The way you phrased that leads me to believe you may know something about this security concern but for everyone else not knowing why this breach is significant, I can give a little insight. Sadly yes, by running large bot nets (networks of computers infected with a virus) these spammers have very little cost for distribution. So after they develop and test an initial virus the next step is to just wait around until it spreads. Once there are hundreds or so computers infected they just launch a virus payload (the content of the spam e-mail). Each of the infected computers now has effectively turned into a low volume spam creator.

While running one central computer putting out 1,000,000 spam messages costs big money and is easily detected by dividing the work amongst hundreds of computers and using all those internet connections it is much harder to detect. It also is much cheaper since they don't need to pay for all the bandwidth and equipment to send these messages. If 100 out of 1,000,000 each blow $100 on a scam then the virus has more then paid for itself ($10,000). Finding .0001% of the population to believe your lies it not hard so getting these numbers is a real possibility. Spamming is all about volume so massive list leaks like this make it much easier for spammers.
 

Wes Bucey

Prophet of Profit
The way you phrased that leads me to believe you may know something about this security concern but for everyone else not knowing why this breach is significant, I can give a little insight. Sadly yes, by running large bot nets (networks of computers infected with a virus) these spammers have very little cost for distribution. So after they develop and test an initial virus the next step is to just wait around until it spreads. Once there are hundreds or so computers infected they just launch a virus payload (the content of the spam e-mail). Each of the infected computers now has effectively turned into a low volume spam creator.

While running one central computer putting out 1,000,000 spam messages costs big money and is easily detected by dividing the work amongst hundreds of computers and using all those internet connections it is much harder to detect. It also is much cheaper since they don't need to pay for all the bandwidth and equipment to send these messages. If 100 out of 1,000,000 each blow $100 on a scam then the virus has more then paid for itself ($10,000). Finding .0001% of the population to believe your lies it not hard so getting these numbers is a real possibility. Spamming is all about volume so massive list leaks like this make it much easier for spammers.
Spammer gold is a valid email address. Thus, it is usually better for the rest of us if recipients of spam just delete, rather than clicking the little link which says "remove me from this list" because that just goes to build a list of targets who may be susceptible to a more sophisticated scam. Obviously, the masters of the botnets don't worry about bounced emails from bad addresses or even "honey traps" set up to snare spam senders because they are virtually unreachable behind their thousands of zombie machines.
 
Top Bottom