Consequences of the Epsilon breach: spear phishing

As more well-known corporations and brands send out emails warning users that their email addresses may have been compromised as part of a security breach at Texas-based marketing firm Epsilon, many are wondering what the consequences of the leak will be. According to Krebs on Security, expect to see some deviously targeted phishing schemes in the near future. These targeted attacks, called “spear phishing,” convince the reader that they need to divulge account information by posing as a legitimate website. In this case, Best Buy customers who were on its email list may confronted with an email that looks like it’s from Best Buy asking from some personal information. According to Rod Rasmussen, CTO at Internet Identity,

“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

As with any time you venture out to the Internet, never give information out to anyone you aren’t absolutely sure needs to have that information. The rule of thumb as far as email goes is that companies will never ask you to verify information using email. If a company is asking you to provide any piece of identification via an email campaign, it’s either a phishing effort or an incredibly irresponsible business who is about to get reported for phishing and lose a lot of money.

As of now, the list of major companies affected by the email breach includes (but is not limited to):