Epsilon breach used four-month-old attack

ReturnPath had warned partners of breach in November.

A data breach exposing the customer details of the likes of Citigroup, Hilton Hotels and Dell Australia was part of a series of socially-engineered attacks first reported by an Epsilon technology partner some four months ago, iTnews can reveal.

The world’s largest email service provider, Epsilon, disclosed on April 1, 2011 that the data it manages on behalf of a subset of its 2500 global clients had been accessed by hackers the day prior.

Today iTnews can reveal that Epsilon has been aware of the vulnerability behind this attack for some months.

In late November, Epsilon partner ReturnPath – which provides monitoring and authentication services to email service providers - warned customers about a series of coordinated phishing and hacking attacks levelled at the mailing list industry.

Neil Schwartzman, senior director of security strategy at Return Path’s ‘Email Intelligence Group’ warned its partners of “an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems”.

He said that the phishing attacks were targeted specifically at employees at email service providers that had specific access to email operations.

Schwartzman offered an example to illustrate:

“Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:

http://www.weddingphotos4u.net/Photos/Michelle/

Let’s keep in touch then.

Love,

Michelle & Brian”

The link in the body of the email took the user to a page that downloaded three malware programs – one that disables anti-virus software, another (iStealer) that is a Trojan keylogger to steal passwords, and a third (CyberGate) which offers hackers remote administration of the infected machine.

“The potential consequences should ESP [email service provider] client mailing lists be compromised at this time of the year is unimaginable,” Schwartzman told customers.

Schwartzman’s nightmare came true within days.

By December 10, drugstore giant Walgreens – today an Epsilon customer - revealed that it had been the victim of a phishing attack levelled at its customers.

On December 13, fellow email service provider Silverpop Services revealed that it too had “recently detected suspicious activity in a small percentage of customer accounts”, and responded by changing all passwords and engaging the FBI’s cybercrime division.

In the days that followed, it was revealed that McDonalds and Play.com customers had been hit with phishing attacks as a result of this breach.

In an update on December 15, Silverpop chief executive Bill Nussey revealed that the company was “working with industry peers to share what we have learned” from the attack.

Epsilon – the world’s largest email service provider and a ReturnPath partner – subsequently installed systems designed to alert administrators to unusual patterns in the downloading of data.

It was this system that kicked in on March 30, 2011 and the company subsequently informed its clients of a data breach affecting two percent of its large customer base.

“Epsilon is working with Federal authorities, as well as other outside forensics experts, to both investigate this matter and to ensure that any additional security safeguards needed will be promptly implemented,” the company said in a statement overnight.

The challenge for Epsilon will be to now convince its clients that it had done enough to protect their data, considering the number of months it had known of the vulnerability.