Sunday, May 1, 2011

Check your mail carefully. Spear phishers out again.

From: Security Now! with Steve Gibson, Episode 295, recorded April 6, 2011

Steve: Okay.  So Epsilon is the world's largest permission-based email marketing services company.

Leo: Who knew?Steve: I know, never heard of them before.
Leo: Who knew, yeah.

Steve: 2,500 clients, including seven of the Fortune 10.  So seven of the largest 10 corporations in the United States use Epsilon to do their customer emailings.  So when we get email from, well, from 1-800-Flowers, AbeBooks, Air Miles, Ameriprise Financial, Barclays Bank, Beachbody, bebe stores, Best Buy, Brookstone, Capitol One, City Market, Citi, Dillons, Disney...
Leo:Steve: ...Destinations, Eileen Fisher, Ethan Allen, Food 4 Less, Fred Meyer, Fry's, Hilton Honors Program, Home Shopping Network, Jay C, JPMorgan Chase, King Soopers, Kroger, Lacoste, LL Bean Visa Card, Marriott Rewards, McKinsey & Company, MoneyGram, New York & Company, QFC, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, Robert Half, Target, The College Board, TD Ameritrade, TiVo, US Bank, and Walgreens.  They were all breached.  That is, Epsilon is saying that 2 percent of its email clients, which 2 percent of 2,500 would be, what, 50, were affected.  Well, I just read the list of known clients who are now vulnerable to a much heightened level of spear-phishing.  The problem is that what was lost was the email databases for those companies.

Leo:Steve: Well, and names.
Leo: And names.

Steve: And that's the problem is that there's now - there's a much greater chance that you will click on a Hilton Honors Program email that knows your name.
So, I mean, the real news is read the email, then manually go to the website, entering the URL yourself, logging in, not through email, but using LastPass or whatever you use for logging in, and arrange to achieve the same end, but not clicking something that you receive in email.  Treat the email as just the information that something is important that they're bringing to your attention, like, oh, look, your miles are about to expire unless they hear from you immediately.Generally the phishing emails use an emergency of some sort to get people to act.  They're not saying, hi, we just wanted to make sure you're happy with the service we're providing you because people go, yeah, yeah, yeah, fine, delete.  No, it's that there's a call to action in spear-phishing emails that is presenting you with some dire event unless you take action.  And people go, ooh.  And in the moment of worry, they hit that, they click on that link without - even if they know better, it's like, oh, I'd better do this right now.

Listen to whole episode:
http://media.GRC.com/sn/SN-295.mp3

Get more:
http://twit.tv/sn

No comments: