Recent Epsilon Security Breach Could Send Hacking and Phishing Attacks Directly to You

You might be the victim of what is being touted as one of the biggest security breaches of personal data ever reported.

Recently cyber criminals successfully hacked the database of the world's largest 'permission-based' email marketing company, Epsilon. Never heard of them? Don't exhale just yet, not before we explain the possible connection of Epsilon and your personal data, which, unfortunately, will not diminish the threat brewing in cyber space.

Who Is Epsilon and Why Should I Care?

Epsilon outsources email marketing services and manages customer email databases for its clients. Epsilon also monitors feedback on social networks and other sites to learn what is being said about companies and their various products, so that they can better provide targeted marketing strategies.

So if you've ever interacted with one of their clients, chances are your DNA is pretty much stored on Epsilon's super database. Who are these clients? We will get to that later, but right now we need to explore the dangers of cyber criminals having your personal data, albeit reported as only being your email address.

When the term 'Spam' was first being tossed around in the mid-1990s to describe an electronic warhead, many US citizens and PC users grimaced at the thought of the familiar canned gelatinous delicacy. Today, however, while many still grimace upon hearing the term, it is not because of anything they can digest, but because it brings to mind an annoying pest or microbe usually hidden in an electronic message.

Hackers steal data especially of this magnitude to get the largest payout they can, and will sell it on the black market to online scammers or spammers. No doubt spammers are salaciously thrilled, and I'm sure they have already planned their viral attack and strategy. Spamming is no longer limited to the malicious and mischievous acts of a juvenile prankster looking to exploit the vulnerability of your PC with a stink bomb, aka a virus or worm of destruction. Unfortunately, something even more corrupt is going on that transcends such childish games.

Spammers have matured and have adopted an entrepreneurial spirit. All grown up and business savvy, they have quickly transformed their corrupt business model into a financial empire using innovative methodologies and strategies such as spear phishing. Cyber criminals have studied social engineering and are using this knowledge to target and scam unwary PC users. Email addresses have trails and a simple search engine result can lead you to the most intimate details about the account holder, which can intelligently be used to dupe you into believing the source legitimate. For instance, take one of Epsilon's real clients, Kroger, as an example. If you've signed up to receive discounts or special sales notifications, you wouldn't be suspicious of a well-crafted or designed Kroger email in your inbox. Even more, you might not think twice about completing a form or survey from the trusted vendor that asks you provide your social security number, bank or credit information.

Example Scam Email As A Result of Epsilon Security Breach

Shortly thereafter the recent heist, a customer of Chase Bank, one of Epsilon's clients, reported getting this fictitious email:

---------------------------------------------------------------------------------
----Original Message----
From: Chase Online
Sent: Tue, Apr 5, 2011 12:26 pm
Subject: Account Maintenance

Dear client,

This is your official notification that the service(s) listed below will be deactivated
and deleted if your profile is not verified immediately.

SERVICE: Chase Online and Bill Pay services.
EXPIRATION: Apr 8, 2011
What you need to do:

1. Log in to your account at www.Chase.com, by clicking the URL.
2. Enter your user ID and Password (that you selected during the online
enrollment process).
3. Enter the requested information and your Chase Online and Bill Pay services will
be renew.

If you have not signed up for online access, you can enroll easily by clicking
"Enroll" at the bottom of the Login page.

Please do not reply to this message. For questions, please call Customer Service
at the number on the back of your card.

Sincerely,
Carter Franke
Chief Marketing Officer
---------------------------------------------------------------------------------

There are few checks and balances a scam savvy PC user might have picked up on, for instance, mousing over the URL and verifying if the link matched the company name. However, what I found most interesting and sneaky was the suggestion to 'call Customer Service' for questions. What scammer would suggest calling and verifying the legitimacy if it weren't a valid letter? Yes, cyber criminals knew you would respond this way and not take up the offer, which is why they included such standard and expected verbiage.

Even if you do not have a direct connection to Epsilon by way of third-party relationship, the power of such a large heist will spur malicious phishing and Internet security attacks for years to come.

Who Are These Clients on Epsilon’s List?

So who are these clients of Epsilon that outsourced and contributed to the compromising of your valuable personal data? You can find the growing list here (http://www.databreaches.net/?p=17374), however, if again you do not find a direct connection, there is yet more disturbing news. The recent breach has uncovered some lax practices of Epsilon's database management team. Companies who ended their working relationship or individuals who opted out of Epsilon's email services prior to the heist data somehow remained on the database server.

So What Can You Do to Protect Yourself?

• First and foremost, change you 'passwords' and 'usernames'. These two critical pieces of information can be lethal in the hands of cyber criminals. Furthermore, it is good Internet security practice to change passwords periodically. However, make sure you create a 'strong' password that is not so easy to crack.
• See who made Epsilon's client list so that you will be wary of emails coming from these companies. If you should get an email and are suspicious of its intent, picking up the phone still works to ensure the validity.
• In general, be leery of emails that contain attachments or dubious links. Many such traps are the gateway for viruses and other microbes.
• Never give personal information via email. Most companies will send a letter via snail mail to protect your privacy and ensure a higher level of security.
• Pay attention to red flags such as misspellings, bad grammar or incomplete sentence structure.
• Verify that both the domain and company name match. If it doesn't, most likely the email is an imposter and is part of a scam operation.
• If you must send sensitive information over the cyber waves, ensure the website uses encryption and good security measures to protect you and your data.
• Keep active and up-to-date anti-malware solution on your PC.
• Stay atop of software upgrades that patch known vulnerabilities.

Who You Should Report a Scam To

If you learn of a scam, educate others around you or your online friends and contacts, so that they too will be on guard. You also might want to report the scam and source to the Federal Trade Commission (FTC), who works to prevent fraudulent business practices from happening.

Another step you might take is to visit phishtank.com (Phish Tank), a popular phishing website tracking daily reports. In addition to learning who was phished, you too can learn who may be doing the 'phishing' by casting dirty nets to gain information maliciously.

So that our readers will be informed, please share your experience with the Epsilon security breach or an email scam you've recently encountered.