Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

  • The company itself sells the email address (pretty rare, at least for reputable companies)
  • An employee at the company takes the email addresses and sell them (rare, but it happens, especially as people leave the company and take email addresses they have access to with them – an Oracle sales rep did that for one of my email addresses, for example)
  • The company subcontracts some part of their business – such as sending email – to a subcontractor and somebody there takes the addresses. (Not that common, but it can happen when a somewhat reputable company hires a semi-reputable marketer who hires a disreputable marketer who hires a spammer)
  • The company leaves the list of email addresses somewhere public and someone stumbles across them (rare for reputable companies but sadly common for hobbyist websites and tiny companies whose main presence is online)
  • Someone breaks in to a company using an automated tool that attempts “simple” compromises at thousands of websites, and stumbles across data they can sell almost by accident (hard to say, but probably fairly common)
  • Someone targets a company and breaks into their computers specifically to steal addresses (probably quite rare, but a high profile incident when it does happen – as the current Epsilon coverage shows)
  • The email addresses are, for some reason, left on a Windows desktop or laptop, and that laptop is infected by a virus or compromised in some other way, then sends the list of addresses out to the internet, intentionally or otherwise (very common, especially in the case where you have a particular sales rep at a company, so their have your email address in their mail clients address book). Email addresses will leak from your friends infected machines in just the same way
  • … and lots of other ways

6. So why is this the first time I’m hearing about it?
I’m not really sure. The recent Epsilon leak was pretty big, and their customers have been fairly good about notifying people about it. That’s probably because there’s been a move in the past few years to thinking that people should be notified in such a case, and some law (at least in California) that requires it. Because of the size of the leak and the widespread notification, this particular incident has made it into social media, blogs, facebook, twitter and finally the mainstream media.
7. What bad things will happen to me?
Not many. Maybe none.
If you’ve not received any spam at all to your email address in the past then you might start receiving some now. You’d probably have started receiving spam sooner or later anyway, as email addresses leak all the time – from individuals and ISPs as well as vendors, marketers and ESPs.
If you’re already receiving spam, you might start getting a little more. Though likely not so much more that you’ll notice. The spammer ecosystem already has your email address, and they’re already sending you spam – if a few more spammers get your address from a new source you may get a little more.
It’s possible you’ll see some additional attempts to “phish” information such as passwords and account access from you. And those may be a little better targeted and better done as someone has a list of companies you’re expecting to receive email from. You should already be wary of phishing attempts, though, as you’re likely being targeted already – whether your data was stolen this time around or not.
If you’re suspicious about an email, or there’s a link in it that goes to a page where you’re going to have to enter a password or any other account information – don’t click on the link. Either go to a bookmarked page or type the link into your browsers address bar instead.
That’s about it.
8. OK, what good things will happen to me?
Not many. You’re hopefully a little more aware of phishing now than you were, and you’ve got a better idea of what companies do with your email address.
9. What should I do?

Keep Calm and Carry On.
The world is not going to end. Bad guys aren’t going to take control of your life.
You should pay attention to companies who’ve notified you that they’ve had information stolen, and be somewhat more wary of email that claims to be from them over the next few months. You might want to change the email address you have on file with those companies, and then be very wary of any email claiming to come from them that goes to the old email address.
But remember that just because a company hasn’t notified you, it doesn’t mean that they’ve not had your email address stolen anyway, either in this incident or another one, so be wary of any email that’s asking you for account information, or directing you to a webpage where you need to log in or provide account information. Brian Krebs has some good advice about avoiding email scams and phishing – none of which is new advice, it’s just good advice that’s being repeated in response to the media mentions of the Epsilon leak.
You might want to use more than one email address – use one to deal with just your bank, for example, so that you know anything claiming to be from your bank to any other email address is probably someone trying to scam you.
10. What shouldn’t I do?
Don’t stop using email, personally or with companies. While I said above that email addresses get leaked all the time (and they do) only a small fraction do. For every email address I’ve given a company that’s leaked there have been a hundred that haven’t. Just don’t be too trusting of people sending you mail, and trust your instincts about it.
And don’t pay too much attention to anyone who is using this particular incident to promote their own product or to push you into major changes in behavior. Security companies and bloggers love loud, scary headlines as they tend to lead to more linking and traffic in a way that more sober, accurate reporting doesn’t.
You were at risk for phishing and spam a year ago, and you’re still at risk today. Nothing much has changed. Keep being wary of email borne scams and phishing, but keep calm and carry on.
 
 
 

Real. Or. Phish? Part 2
Epsilon: Calm and Cool Tempered

Related Posts

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

Read More

Real. Or. Phish?

After Epsilon lost a bunch of customer lists last week, I’ve been keeping an eye open to see if any of the vendors I work with had any of my email addresses stolen – not least because it’ll be interesting to see where this data ends up.
Yesterday I got mail from Marriott, telling me that “unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.”. Great! Lets start looking for spam to my Marriott tagged address, or for phishing targeted at Marriott customers.
I hit what looks like paydirt this morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email address.
It’s time to play Real. Or. Phish?
1. Branding and spelling is all good. It’s using decent stock photos, and what looks like a real Marriott logo.
All very easy to fake, but if it’s a phish it’s pretty well done. Then again, phishes often steal real content and just change out the links.
Conclusion? Real. Maybe.
2. The mail wasn’t sent from marriott.com, or any domain related to it. Instead, it came from “Marriott@marriott-email.com”.
This is classic phish behaviour – using a lookalike domain such as “paypal-billing.com” or “aolsecurity.com” so as to look as though you’re associated with a company, yet to be able to use a domain name you have full control of, so as to be able to host websites, receive email, sign with DKIM, all that sort of thing.
Conclusion? Phish.
3. SPF pass
Given that the mail was sent “from” marriott-email.com, and not from marriott.com, this is pretty meaningless. But it did pass an SPF check.
Conclusion? Neutral.
4. DKIM fail
Authentication-Results: m.wordtothewise.com; dkim=fail (verification failed; insecure key) header.i=@marriott-email.com;
As the mail was sent “from” marriott-email.com it should have been possible for the owner of that domain (presumably the phisher) to sign it with DKIM. That they didn’t isn’t a good sign at all.
Conclusion? Phish.
5. Badly obfuscated headers
From: =?iso-8859-1?B?TWFycmlvdHQgUmV3YXJkcw==?= <Marriott@marriott-email.com>
Subject: =?iso-8859-1?B?WW91ciBBY2NvdW50IJYgVXAgdG8gJDEwMCBjb3Vwb24=?=
Base 64 encoding of headers is an old spammer trick used to make them more difficult for naive spam filters to handle. That doesn’t work well with more modern spam filters, but spammers and phishers still tend to do it so as to make it harder for abuse desks to read the content of phishes forwarded to them with complaints. There’s no legitimate reason to encode plain ascii fields in this way. Spamassassin didn’t like the message because of this.
Conclusion? Phish.
6. Well-crafted multipart/alternative mail, with valid, well-encoded (quoted-printable) plain text and html parts
Just like the branding and spelling, this is very well done for a phish. But again, it’s commonly something that’s stolen from legitimate email and modified slightly.
Conclusion? Real, probably.
7. Typical content links in the email
Most of the content links in the email are to things like “http://marriott-email.com/16433acf1layfousiaey2oniaaaaaalfqkc4qmz76deyaaaaa”, which is consistent with the from address, at least. This isn’t the sort of URL a real company website tends to use, but it’s not that unusual for click tracking software to do something like this.
Conclusion? Neutral
8. Atypical content links in the email
We also have other links:

Read More

How to disable a domain

Sometimes you might want to make it clear that a domain isn’t valid for email.
Perhaps it’s a domain or subdomain that’s just used for infrastructure, perhaps it’s a brand-specific domain you’re only using for a website. Or perhaps you’re a target for phishing and you’ve acquired some lookalike domains, either pre-emptively or after enforcement action against a phisher, and you want to make clear that the domain isn’t legitimate for email.
There are several things to check before disabling email.
1. Are you receiving email at the domain? Is anyone else?
Check the MX records for the domain, using “host -t mx example.com” from a unix commandline, or using an online DNS tool such as xnnd.com.
If they’re pointing at a mailserver you control, check to see where that mail goes. Has anything been sent there recently?
If they’re pointing at a mailserver that isn’t yours, try and find out why.
If there are no MX records, but there is an A record for the domain then mail will be delivered there instead. Check whether that machine receives email for the domain and, if so, what it does with it.
Try sending mail to postmaster@ the domain, for instance postmaster@example.com. If you don’t get a bounce within a few minutes then that mail may be being delivered somewhere.
2. Are you sending email from the domain? Is anyone else?
You’re more likely to know whether you’re sending mail using the domain, but there’s a special case that many people forget. If there’s a server that has as it’s hostname the domain you’re trying to shut down then any system software running no that server – monitoring software, security alerts, output from cron and so on – is probably using that hostname to send mail. If so, fix that before you go any further.
3. Will you need mail sent to that domain for retrieving passwords?
If there are any services that might have been set up using an email address at the domain then you might need a working email address there to retrieve lost passwords. Having to set email back up for the domain in the future to recover a password is time consuming and annoying.
The domain registration for the domain itself is a common case, but if there’s any dns or web hosting being used for the domain, check the contact information being used there.
4. How will people contact you about the domain?
Even if you’re not using the domain for email it’s quite possible that someone may need to contact you about the domain, and odds are good they’ll want to use email. Make sure that the domain registration includes valid contact information that identifies you as the owner and allows people to contact you easily.
If you’re hosting web content using the domain, make sure there’s some way to contact you listed there. If you’re not, consider putting a minimal webpage there explaining the ownership, with a link to your main corporate website.
5. Disabling email
The easiest way to disable email for a domain is to add three DNS records for the domain. In bind format, they look like:

Read More