The Hacker News
Hackers behind what computer security experts believe could be the biggest data theft in US history may be planning to sell the information to cyber criminals for targeted scams.

And while the tens of millions of names and email addresses swiped from online marketing firm Epsilon do not appear to have been used yet for cyber crime, the experts said it may just be a matter of time.

Major US banks, hotels, retail outlets and other companies have been warning customers to be wary of fraudulent emails after Epsilon acknowledged last week that hackers had gained access to the Texas-based company's email system.

Epsilon, which provides email services for some 2,500 companies around the world, has said that customer data for about two per cent of its total clients was exposed in what it called an "unauthorized entry."

Epsilon, which sends out over 40 billion emails a year, did not identify the firms whose customers' names and email addresses were taken but dozens of US companies have come forward over the past few days.

"It's basically a who's who from the retail and banking space," said Nicholas Percoco, head of Trustwave's SpiderLabs. "Some of the top brands in the world."

They include Hilton and Marriott hotels, telecom giant Verizon, drugstore chain Walgreens, the Home Shopping Network and retailers Best Buy, Kroger, New York & Co. and Target.

Among the banking and financial firms that have notified customers of the breach are Citigroup, JPMorgan Chase, Capital One, US Bank, Barclays Bank of Delaware and Ameriprise Financial.

Security experts said the data theft at Epsilon could be the largest ever in terms of sheer volume, comparable to the exploits of Albert Gonzalez, one of the most prolific US commercial hackers ever.

Gonzalez is serving 20 years in prison for stealing tens of millions of debit and credit card numbers from firms supporting major US retailers and financial institutions.

Percoco said the Epsilon data theft may involve as many as 100 million unique email addresses and "could end up being the largest breach ever of raw personal data, consumer data."

Marian Merritt, Internet Safety Advocate at Symantec, the maker of Norton anti-virus software, said data breaches occur frequently but "all indications are this could be the biggest one in history."

It is unlikely to prove as damaging, however, as the Gonzalez scams.

"The good news is it's just the names and the email addresses and the affiliation of the company that you did business with," said Joris Evers, a security expert at McAfee.

"It's not your credit card number or your social security card number or your home address... information that could be more personal and used in more nefarious ways immediately," Evers said. "There's a lot of work to do before you can convert this into cash."

The Epsilon data does not appear to have been used yet for any cyber crime.

"We have been looking around since this news broke for spam and scams and scammy websites that potentially take advantage of this breach and we haven't seen anything just yet," Evers said.

That may be because the hackers who carried out the Epsilon attack intend to sell the information to other cyber criminals, the experts said.

"They may be people who are buying and selling stolen data bases of user names and email addresses," said Symantec's Merritt.

"There are marketplaces on the Internet, underground markets, where people sell bulk bunches of email addresses and names," Evers added. "You can buy a million email addresses for 20 dollars or something like that.

"But that's just email addresses, mailing lists that you can then start spamming."

The information stolen from Epsilon is more valuable because it links names and email addresses with particular companies that an individual already has a trusted relationship with.

"They've got your name, not your user name, but your actual name, your email address and brands that you regularly do business with and trust in an email relationship," Merritt said.

"You've already identified yourself as willing to receive communications from those brands," she said. "So the cybercriminals have pretty good information to use against you."

Evers said such information can be a "treasure trove" for cyber attackers because now they can start personally targeting individuals, a tactic known as "spear phishing."

For example, "you might have bought something from LL Bean recently," he said. "You receive an email that says 'We want to confirm your order, please click here.'

"And you end up on a website that infects your computer with something. Or you're asked to type in your credit card number again to make sure the order goes through," he said. "And now, boom, I have your credit card information." Whatever form the attacks take, experts are certain they're coming.

"They didn't go get these email addresses and names just to get them," Percoco said. "They're going to use them."

Source :

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.