Epsilon breach used four-month-old attack

Brett Winterford writes:

… Today iTnews can reveal that Epsilon has been aware of the vulnerability behind this attack for some months.

In late November, Epsilon partner ReturnPath – which provides monitoring and authentication services to email service providers – warned customers about a series of coordinated phishing and hacking attacks levelled at the mailing list industry.

Neil Schwartzman, senior director of security strategy at Return Path’s ‘Email Intelligence Group’ warned its partners of “an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems”.

He said that the phishing attacks were targeted specifically at employees at email service providers that had specific access to email operations.

Read more on iTnews.  I note that Epsilon has not actually stated or confirmed the cause of the breach. That said, I suspect Neal’s right and I’m definitely not surprised to read this.

As a reminder, a Walgreens spokesperson had told DataBreaches.net that after the December breach that led to its notifying customers:

After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.

Phishing attacks on ESPs like Epsilon are not new. There were breaches, and the threat was made publicly known. What did Epsilon do since they were made known? It seems evident that whatever they may have done, it wasn’t sufficient – assuming that this breach was of the same type as what we saw last year.

In 2008, we saw a rash of breaches in the hospitality sector when cybercriminals learned that many restaurants were using default configurations on their POS systems for customers’ credit or debit card payments. The industry spread the word – or tried to – about the need to disable remote desktop access unless absolutely necessary and to change their passwords and to limit access. There are still some breaches of this kind, but they have declined dramatically.

Now we have a rash of breaches involving ESPs. Will the Epsilon fiasco be the wakeup call for this industry? One would hope so, but before that happens, I fear we’re going to hear about more breaches – including some breaches that may have already occurred but not have been fully disclosed.

About the author: Dissent

2 comments to “Epsilon breach used four-month-old attack”

You can leave a reply or Trackback this post.
  1. Neil Schwartzman - April 7, 2011

    They used 4-month old quotes to draw a causal link. This could just as easily be copycats exploiting another vector. We simply don’t know.

    • admin - April 7, 2011

      Yep. It was Premature Reporting Disorder (PRD, coming soon to your next DSM or ICD) at the very least on iTnews’s part, as I have been pointing out all day in my blog entries. Brian Krebs has also been trying to alert people that what iTnews “revealed” was nothing that had been confirmed. Thanks for reiterating that point.

Comments are closed.