Phishing

What if it wasn’t about the phish?

April 25, 2011

When the breach of Epsilon was reported, there was widespread speculation that phishing attacks were a highly plausible outcome. After all, the perpetrators of the attack have the names of institutions, as well as corresponding names and email addresses for customers. This is a great recipe for more targeted phishing attacks that probably would result in a higher yield for phishers.

However, as of this writing I have seen no evidence of increased phishing attacks that correspond with the banks and other companies related to the data breach. Obtaining the names and email address, as well as corresponding companies for phishing, is only one plausible explanation for the attack, but certainly not the only explanation.

The fact is that the data may be even more valuable to a marketing organization. A marketing organization that can link a name and email address to a large variety of diverse companies, such as the companies for which Epsilon provides services, can build a lifestyle profile of a customer. This allows for the creation of targeted mailings that result in higher sales conversions rates. If a company can provide such lists to other companies and the results are both tracked and impressive, the result would be that the attacker with the stolen data would increase revenue from sales of services.

Another use for such data would be to correlate numbers of customers who use similar companies. This type of information would be valuable for building corporate partnerships. If a large number of the users in the stolen data set use several common companies, such as Chase, Disney Destinations and Home Shopping Network, there may be a profitable business model for applicable companies to cross-market or provide bundles that cross-sell to specific consumers, as well as to entice new consumers based on data analysis.

No information has been released with any knowledge of who perpetrated the attacks against Epsilon, but clearly, phishing is not the only viable motivation for such a cybercrime.
prestitial ad