“Marketing as Usual? Not a chance.” —Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing, since they have names, email addresses and who these users did business with, which makes the problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP and ISP/Receiver industries to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

• Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December. I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.
• Two-factor authentication must be implemented for ESP system access for both staff and clients.
• Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.
• ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.
• ESPs and Senders must deploy extended-validation certificates on web properties.
• ESPs and brand owners should use the services of email authentication services such as Authentication Metrics , eCert, Return Path, and Truedomain as well as anti-phishing services like BrandProtect, Internet Identity and tools such as Lashback’s BrandAlert.
• ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

“Epsilon has refused to provide additional details on what other brands may have been affected.” —Security Week

“SilverPop did not respond to requests for comment” —Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

• Email receivers must follow Yahoo! Mail’s lead and deploy multi-layer phishing protection
• Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.
• Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.
• Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

These financial institutions were affected by the breach:

• American Express
• Ameriprise Financial
• Barclays Bank of Delaware
• Capital One
• CITI
• JP Morgan Chase
• Moneygram
• Scottrade
• TD Ameritrade
• TIAA-CREF
• U.S. Bank
• World Financial Network National Bank (Victoria’s Secret card)

As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen:

1. 1800Flowers.com
2. AbeBooks (division of Amazon)
3. Airmiles
4. Beachbody
5. Benefit Cosmetics
6. Best Buy
7. Best Buy Canada Reward Zone
8. Brookstone
9. City Market
10. CollegeBoard
11. Dillons
12. Disney Destinations
13. Eileen Fisher
14. Ethan Allen
15. Food 4 Less
16. Fred Meyer
17. Fry’s
18. Hilton HHonors
19. Home Shopping Network
20. Jay C
21. King Soopers
22. Krogers
23. Lacoste
24. L.L. Bean credit card
25. Marks and Spencer
26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
27. McKinsey Quarterly
28. New York & Company
29. QFC
30. Ralphs
31. Red Roof Inns
32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
33. Robert Half
34. Smith’s
35. Soccer.com
36. Target
37. TiVo
38. Verizon
39. Viking River Cruises (unconfirmed)
40. Walgreens (for the second time)