If you are a member of the technology advocate crowd that uses this slogan for a mantra, you are going to love the Epsilon Company. Reports starting coming out on April 2nd that the mega email marketing giant, Epsilon was breached and millions of names and email addresses of customers of very large banks and retailers were “liberated”.
If Epsilon isn’t familiar to you that is understandable They are a kind of behind the scenes company that major retailers and banks use who don’t really want you to know how much information about you they have aggregated use. Epsilon is the email machine these companies use to generate massive amounts of something that most people call spam.
We all know that our email addresses are out there because we all get way too much spam, so you might ask what the big deal is. Here s the deal. If a criminal has your name, email address, and knows that you use that email address for your banking or shopping, they now know how to target phishing attacks.
This is a real concern and the phishing has commenced, but some people are really taking it too far. One report speculates that
“You might, for instance, receive a message from Brookstone about a special offer addressed to your name. But it may be carrying a virus that exposes you to data theft if you simply open the email.”
Yeah, theoretically this could happen, but I am unaware of any current zero-day vulnerabilities that would enable this attack. The far more common attack will be simple phishing.
The way to deal with this is the way you deal with all phishing attacks. If you get an email with a link to a web site that requires a log on, do not log on. Always go to your vendor’s website by typing in a known valid internet address. If a company tells you that there is a problem with your account, then call the company on the phone. Do not use phone numbers in the email, instead, go to their website or look up the phone number in a phone book or similar legitimate resource. No security problem requires you to cough up your password or bank account number. You didn’t win any prize that requires you to provide a bank account number.
The one good thing that will come out of this mess is a plethora of phishing samples for training people. Many people will learn about phishing the hard way, but this will be a huge learning event that results in millions of more people learning to protect themselves against phishing. In the long run there will probably be no more people phished than would have been if this didn’t happen, it’s just that for many people it will happen sooner rather than later.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America
Author ESET Research, We Live Security