May 02, 2011
2 minutes on

Attacking the email list provider

A pair of massive data breaches have illustrated that marketing services firms, trusted to manage the email campaigns of major businesses, have become a high-value target of cybercriminals aiming to steal valuable information that easily can be monetized.

Companies such as Epsilon and Silverpop work with some of the world's largest companies and maintain vast databases of customer information, making them an especially attractive target, said Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University in Pittsburgh.

Breaking into just one of these repositories yields scores of customer data belonging to potentially hundreds of clients, he said.

A list of active email addresses, especially of Epsilon-like magnitude, is a valuable asset that can be sold to organized criminal groups who make money redirecting recipients to spam websites, said Lance James, director of intelligence at security monitoring solutions provider Vigilant. Stolen email lists also can be used to pull off targeted phishing attacks that introduce malware into organizations.

The recent theft of email addresses from Epsilon, one of the world's largest email marketers, affects dozens of major banks and retailers, and followed a similar exposure at rival marketing firm Silverpop.

“These hackers are...seeing they aren't getting stopped and that nobody's coming after them,” James said.

With no repercussions, the hackers now clearly have moved on to bigger and more valuable targets, which appear just as vulnerable as smaller marketers, he said.

Epsilon is not forthcoming with information about how the breach occurred, Christin said. “They probably don't want to tell us what happened, either because they don't have a clue or because their whole system isn't that secure.”

Gartner VP and distinguished analyst Avivah Litan said criminals also are actively targeting other types of businesses that maintain huge lists of consumer information, such as financing agencies, bill collectors and leasing agents.

“Cybercriminals are trending toward targeted attacks and getting as much information as possible to conduct those,” she said.

Before outsourcing information to third parties, organizations must assess the risks associated with that data and ensure it will be adequately protected, said Richard Mackey, VP of consulting at SystemExperts.

From the May 2011 Issue of SCMagazine »
Related Articles
Related Topics

More in Features

Behind the scenes: Privacy and data-mining

Behind the scenes: Privacy and data-mining

With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.

The great divide: Reforming the CFAA

The great divide: Reforming the CFAA

Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.