Epsilon partner warned of phishing attacks months ago

Near the end of last year Epsilon partner Return Path said that thousands of e-mail addresses were stolen in a broad phishing campaign that targeted e-mail service providers.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

The recent data breach reported by e-mail marketing service provider Epsilon that exposed names and e-mail addresses for customers at dozens of companies comes four months after an Epsilon technology partner warned about targeted phishing attacks on e-mail service providers and on its own network.

Return Path said in late November that thousands of e-mail addresses had been stolen from its system after one of its employees clicked on a link in a phishing e-mail message. Epsilon uses Return Path's e-mail monitoring technology in the e-mail marketing services it provides to other companies.

"The employee's system was properly scrubbed, but in the short time between infection and scrubbing, the perpetrators of the phishing campaign had obtained a list of 13,000 email addresses registered in our system by our clients for system alerts," Return Path Chief Executive Matt Blumberg wrote in a blog post on November 26. "The list consists of employees at Email Service Providers as well as many email marketers at client companies."

In an earlier blog post Return Path had warned that e-mail service providers (ESPs), direct mailers, and gambling sites had received spam e-mails over the past five weeks with links leading to malware, keyloggers, and a remotely controlled Trojan as part of spear phishing attacks. (Spear phishing attacks target specific organizations or key people within a company.)

"This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems," said the post, signed by Neil Schwartzman, senior director of security strategy for Return Path's e-mail intelligence group, who is no longer with the company.

A Return Path spokeswoman told CNET today that she could not say whether Epsilon had been affected at all by the phishing attacks last year and that Return Path had no insight into or comment on the breach Epsilon disclosed late last week.

Spokespeople at Epsilon and its parent company, Alliance Data, did not return a call and e-mails seeking comment today. So far, the only key information the company has provided about the incident is that names and e-mail addresses of a "subset" of its 2,500 customers were exposed in the breach, which was detected on March 30.

It's unclear how many of Epsilon's clients and how many of their customers are affected, but a tally being kept at Databreaches.net was up to 57 this morning and it includes big names like Best Buy, Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon.

Epsilon apologizes
"The unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personal identifiable information (PII) was compromised, such as social security numbers, credit card numbers or account information," Alliance Data said in a statement last night. "Since the discovery of the unauthorized entry, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised."

Epsilon is working with federal authorities and outside forensics experts on the investigation and has reviewed its security protocols controlling access to the system and further restricted them, the company said. Marketing campaigns were restarted, e-mail volumes are not expected to be significantly affected, and the impact of the incident to the company's financial performance or guidance are expected to be minimal if any, the blog said. "The greatest risk is the potential loss of valued clients," the company said.

"We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers," said Bryan J. Kennedy, president of Epsilon. "We take consumer privacy very seriously and work diligently to protect customer information."

Ed Heffernan, chief executive of Alliance Data, said: "We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize. While we can't reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets--their customers. Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency."

Related links
Who is Epsilon and why does it have my data?
Were you affected by Epsilon data breach?
How far did McDonald's-tied data breach ripple?

While it is unclear whether Epsilon was affected by the phishing attacks last year or how it was compromised in the latest incident, there is some indication that this may not be the first data breach at the company.

In December, Walgreens disclosed that its customer e-mails had been exposed in a breach, and a spokesman told CNET that the data compromise was not related to a breach at Silverpop revealed around the same time, but the company did not name its e-mail service provider that was compromised. (Silverpop also said it was only one of "several technology providers targeted as part of a broader cyberattack.")

Last weekend, Walgreens named Epsilon out right in its warning and when asked by DataBreaches.net if Epsilon was its provider that was breached last year, a spokesperson responded: "After the incident last year, Walgreens requested that Epsilon put a number (of) additional security measures in place. Apparently, that expectation was not fully met." (A Walgreens spokesperson has not responded to a request for comment from CNET.)

Anatomy of a phishing attack
The Return Path blog posts from last year provide some interesting details on how an Epsilon-type of company, or any company for that matter, could get compromised by attackers.

The spear phishing e-mails were aimed at more than 100 ESPs and gambling sites, typically using the employee's name and pretended to be from friends or co-workers, Return Path had said. The messages were sent numerous times, over different systems including the facility of the ESPs, via online greeting card sites, or by using a botnet of thousands of random compromised computers. The list of e-mail addresses was "very small" at less than 3,000 and all were aimed at employees who were responsible for e-mail operations, according to the original blog post. One example given twice by Return Path reads:

"Hey Neil, it's Michelle here, it has been a long time huh ? how're you doing ? how's your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven't you? Just give meyour current telephone number if you read this mail. It's really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I'm sending you a few pics taken in our wedding: (link removed) Let's keep in touch then. Love, Michelle & Brian"

The link was fake and instead directed people to a Web site hosting malware dubbed Win32.BlkIC.IMG, which disables antivirus software, a keylogger that steals passwords called iStealer, and a remote administration tool called CyberGate that "lets the criminals control the computer moving forward," Return Path said.

The spam later was changed to be a fraudulent e-mail for Adobe products, Return Path CEO Blumberg said in one of his posts.

(Hat tip to ITNews.com for dredging up the initial Return Path post. Brian Krebs also wrote about the attacks at the time.)

Updated April 11 at 11:06 a.m. PT to remove reference to American Express from list of companies affected.