Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Epsilon attack - a turning point for the online marketing industry?

High-profile security breach is part of an ongoing campaign against email providers

Article comments

Last week, consumers in the US were bombarded with email messages warning them of what may be the most widely felt data breach in US history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and email addresses had been stolen.

For a few days, it seemed that almost everyone was getting a warning message. The notes all struck the same tone: "Email files have been accessed without authorisation," said one, sent to holders of the Dressbarn credit card. "You could receive some spam email messages. We sincerely apologise."

The breach left many victims uneasy, rather than outright scared. After all, these are stolen email addresses, not Social Security numbers or bank account details. Brian Jacobs is a typical victim. An IT manager with the city of Rockport, Texas, he woke up on Monday 4 April to a warning email from his former employer, staffing firm Robert Half International, telling him that his email address had been taken. With nothing more in the balance, Jacobs said he wasn't particularly worried, but he didn't feel good either. "When they said, 'They just got your email address,' it's like, 'Well, that's what you're telling me today. Are you going to be telling me something else tomorrow?'" he said.

One thing that neither Epsilon nor its parent company, marketing giant Alliance Data, are discussing is the fact that the Epsilon breach is just the latest development in a long-running campaign to hack into the service companies that pump out the bulk of the nation's sales coupons, air miles account updates and friendly reminders that make up legitimate marketing email campaigns.

There are hundreds of these companies out there, ranging from small mom-and-pop operations to large subsidiaries of publicly traded corporations like Epsilon. And over the past year, spammers have been trying to break into them with a vengeance.

"There has been a series of attacks on email service providers that has been occurring since December 2009," said Neil Schwartzman, executive director with CAUCE (the Coalition Against Unsolicited Commercial Email), an anti-spam advocacy group. "About a dozen ESPs were hacked over the course of 2010."

That's particularly worrying because while Schwartzman and others say that many ESPs have been hacked, only four companies have admitted that they were compromised: Epsilon, Silverpop, AWeber Communications and ReturnPath, a company that sells services to ESPs.

With many of these attacks, the criminals target clients of the email service provider. They take over their corporate accounts and then use them to send spam - often fake Skype or Adobe reader updates that actually contain malicious software.

Schwartzman knows a lot about the problem. He is formerly senior director of security strategies with ReturnPath, which was hit by hackers late last year. ReturnPath isn't an ESP, but it sells deliverability services to more than 2,000 ESPs, including Epsilon. These deliverability services are extremely important to ESPs because they help them get their legitimate marketing email through spam filters.

All of this gets turned on its head when an ESP is hacked. It's a spammer's fantasy come true. The criminal gets client email addresses along with the names of companies those people do business with - all you need for a targeted "spear-phishing" attack. And by using the email service provider to send out his spam, the bad guy gets a near-guarantee that his scam messages will get through anti-spam filters.

When ReturnPath was hacked, criminals stole email addresses belonging to 13,000 of its users - ESP employees and marketing professionals who had accounts with the ESPs. Some believe that a November 2009 attack on ReturnPath may have given hackers a stepping stone to launch attacks on thousands of accounts at ESPs that used ReturnPath's services.

Last year, ReturnPath said that email operations employees at more than 100 ESPs and gambling sites had been hit with targeted phishing attacks. Victims would get an email specially targeted to them with a link to a website that then tried to install malicious password-stealing software on their computers. "This is an organised, deliberate and destructive attack clearly intent on gaining access to industry-grade email deployment systems," ReturnPath said in a blog posting, written by Schwartzman. "Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable."

Shortly after the ReturnPath incident, two ESPs - Silverpop and AWeber Communications - came forward to say that they had been hacked as well.

In many of these cases, overseas criminals apparently broke into ESP accounts and then used them to send spam. Criminals use hacked accounts to send links to questionable Adobe Reader updates, which could be pirated software, or worse - malicious Trojan horse programs, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.

Silverpop's breach reportedly affected hundreds of companies, including McDonald's. And some of them were promptly phished and spammed by scammers looking to steal sensitive information, using the Silverpop email system.

Epsilon had problems last year too. In December 2010, Walgreens warned clients that someone had stolen its email marketing list and was using it in phishing attacks, asking for Social Security numbers and credit card accounts. Walgreens, which was hit again by this latest Epsilon breach, used Epsilon as its email service provider at the time of the December 2010 incident, said Tiffani Washington, a spokeswoman for the drugstore chain.

All three of the compromised ESPs - AWeber, Silverpop and Epsilon - have business relationships with ReturnPath. However, with so many ESPs under attack for so long, it's not clear whether the ReturnPath attack can be linked to any of the other hacks, including the recent Epsilon breach, now thought to have affected about 50 companies, including Verizon, Citibank and JPMorgan Chase.

In fact there's an important difference between the recent Epsilon incident and other ESP hacks, Warner said. "The primary difference between Silverpop and Epsilon is that in the Silverpop case, criminals managed to send emails through the Silverpop system," he said. In the Epsilon case they only downloaded data.

But if the marketing industry doesn't address the problem, it could lead to a meltdown in consumer confidence and the possibility of government regulation, said Craig Spiezle, executive director with the Online Trust Alliance. "This is a serious problem," he said. "It's the tip of the iceberg here."

Spiezle's group, which includes marketers, Internet service providers and security companies, has been trying to encourage email service providers to beef up their security game. But Spiezle and others say that while some marketers and advertising networks take security seriously, many do not. "Security was not a design fundamental of what they created," Spiezle said. "Today they've underinvested and underanticipated the impact of the cybercriminal."

It's a problem that the email marketing industry would very much like to see go away. The Direct Marketing Association (Epsilon CEO Bryan Kennedy is a board member) initially wouldn't comment in detail on the problem of targeted attacks against email service providers. But on Sunday, spokeswoman Sue Geramian said that the marketing industry association is putting together a special task force to look at the situation and possibly revise the group's guidelines relating to data breaches.

One veteran email marketer, who spoke on condition of anonymity, said that industry opinion about whether there will be long-term backlash over Epsilon is "almost evenly divided".

"Of course they want it to blow over because if it doesn't blow over, people are going to stop clicking on 'I agree'," he said, referring to the check boxes that customers check on web forms to allow further email contact. These are the consent agreements that keep legitimate email marketers in business. He added: "Some people are actually seeing their opt-in numbers go down. In the industry, they're kind of whispering about that."


Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *