CounterMeasures - A Security Blog � Social Engineering

’tis the season to be squatting

Rik Ferguson — Wed, 14 Dec 2011 16:06:36 +0000

In the run up to Christmas criminals are abusing the opportunity to prey on online shoppers with tired eyes and weary fingers. Many thousands of misspelled versions of popular retail destinations have been registered by criminals in the hope that the unwary consumer will land there by accident. Customers of popular online retailers such as John Lewis, Debenhams and Argos have all been targeted.

Image from Joe Shlabotnik's Flickr stream under creative commons

The criminal websites are often copies of the legitimate website, copies that aim to pass off counterfeit goods, redirect the visitor through money-spinning advertising links or to harvest personal and financial information if a “purchase” is made. In other instances the misspelled domain names can lead to objectionable content or even to websites loaded with exploits that aim to infect the victim machine with information stealing malware or to recruit it into a botnet, a network of compromised machines under the remote control of a criminal.

Typosquatting has been around almost as long as the world-wide web, in fact US legislation dating back to 1999, the Anticybersquatting Consumer Protection Act, contains a specific clause (Section 3a) aimed at combatting this phenomenon. In the past individual companies have been known to spend large amounts of money in bringing cybersquatters to justice. Lego, for example, have previously spent more than half a million US dollars pursuing cybersquatters through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) going after such domain names as legoworskhop.com in and effort to protect their brand.

However in this most recent outbreak of typosquatting, we are not talking about domain names which simply include the names of well-known brands, rather those that prey on our lack of attention to detail. In the rush to get the online Christmas shopping done, how sure can you really be that you were shopping at the legitimate debenhams.com rather than the typosquatted debanhams.com, or marksandspencer.com rather than marsandspencer.com or markandspencer.com (I would recommend *not* visiting these by the way.

This year and last, British law enforcement have been doing their best to crack down on dodgy online shopfronts, however efforts to suspend illegitimate domain names can only ever represent a game of whac-a-mole in the fight against evil online traders. Criminals can register vast reserves of domain names in advance and, when one gets shut down, simply activate another as required.

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

1. 4.4.1 .co.uk; or

2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters”

Until regulation is tightened and international cooperation is improved then well-intentioned law-enforcement initiatives will only be treating the symptom not addressing the cause.

In the meantime, be careful where you click and if you are planning on some serious online shopping sessions you may be wise to create yourself some bookmarks to popular online shopping sites rather than relying on your typing skills standing up to the Christmas rush.

On that note here are 5 great tips for shopping safely online from Trend Labs.

Making the most of Facebook privacy – Part III

Rik Ferguson — Tue, 11 Oct 2011 12:04:07 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part of this series can be found here, and part two here.

Lists – Control privacy when you post

Use the Facebook lists feature to divide your friends into lists. This is a great feature for protecting your privacy because it allows you to select an individual audience for each one of your status updates or wall posts, be aware though it is not possible to individualise the audience for your “Likes”.

Facebook offers three default lists; Close Friends, Acquaintances and Restricted. Dividing friends between “Close friends” and “Acquaintances” will influence how much or how little they show up in your news feed. Adding a friend to the “Restricted” list means they will only be able to see content that you make “Public”. Facebook has also introduced the concept of Smart Lists, these could be related to where you live, where you work, or where you went to school for example.

If you add a friend to any of the “Close Friends”, “Acquaintances” or “Restricted” lists, they will not be informed. However, be aware that if you add a friend to a Smart List that is related to a place of work or college for example, they will receive a notification that you have done so and will be able to approve that information for posting to their own timeline. You can also create custom lists and again your friends will not be notified if they are added to these lists. It is worth noting that when you share content with a specific list of friends, your friends will not see the name of the list you have shared it with, but they will see that you have chosen a restricted audience for your post and they will be able to see every individual name in that group.

Subscriptions

Subscriptions is a new Facebook feature that allows you to follow the public activity of people on Facebook, without having to add them as a friend. Of course this means that the possibility exists for people to follow your content, without you having accepted them as a friend as well. It’s one more reason to tightly control your privacy on Facebook. For example, default behaviour on Facebook if you defriend someone is that they will remain subscribed to you and able to see any public content and perhaps content that is shared by mutual friends too, unless you do something about it. If you want to enable or disable the permission for other users to subscribe to your content, go to your timeline and click the arrow to expand the view of your “favourites boxes”. You will see the subscriptions box, click the box and you will be able either to click the “Allow subscribers” box or, more advisedly a “Settings” button where you will be able to turn it off.

Events

Any “Public” event you have responded to will feature on your timeline and will be shared with the public, meaning that anyone viewing your Facebook profile will be able to see these events. To hide these events from your timeline, view your timeline, click “View Activity” and select “Events” from the activity type drop down menu that appears on the right. You may then hide any events you wish from being displayed on your timeline.

Check yourself out!

If you want to check how the changes you have made have affected the information you share you can view your own timeline as another Facebook user would see it, or as it is visible to the general public. To do this, select the downward pointing arrow just to the right of “View Activity”, select “View As…” and type the name of the friend whose view of your profile you wish to preview, or click the “public” link. This is a great way of identifying those last few pesky events, photos, videos or stories that may still be publicly visible. You can then find each unique event in your Activity Log and refine the audience to whom it is visible or remove it entirely from your timeline.

Five rules to remember…

1. If you post on someone’s wall then you cannot control the privacy of your post . The visibility of the comment is defined by the original post which may be less restricitve than you want, for example, “Friends of Friends”.

2. If you restrict the audience of a post in order that certain friends cannot see it that restriction should not be considered final. If someone later posts a comment that tags a Facebook user who was not a part of the original audience, then the entire thread and original post will be visible to that person. Be careful what you post.

3. If you post on, or respond to an invitation to a public event or a public page; you cannot control the privacy of your post. You can only hide it from your timeline after the post has been made.

4. If you post on a friends wall where their privacy setting is “friends of friends”, then any of your friends who are on your Restricted list will be able to see that post, because they are your friends.

5. This means that anything you post which is “Public” or “Friends of friends” (either by your own settings or those of the recipient) may show up in the ticker of people you do not necessarily know, have restricted or have defriended.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

Making the most of Facebook privacy – Part I

Rik Ferguson — Tue, 11 Oct 2011 11:07:29 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

Since the long list of new features recently unveiled has begun to be rolled out for all Facebook users; I have been receiving ever-increasing amounts of questions from friends, colleagues and Countermeasures readers concerned with how their online privacy may be affected. So I have put together this guide to Making the Most of Facebook Privacy in 2011. I refer to the forthcoming Facebook feature “Timeline” a lot in this post, but don’t be fooled these settings are available right now, even if you haven’t enabled Timeline yet.

Don’t Get Facejaked

So initially, let’s get to the recommended settings for locking down your Facebook security without having a negative effect on your enjoyment of the social network. Follow the three steps in this earlier blog article to help protect your account from unauthorised access, so-called “facejacking”.

Lock Out Leakage

With that out of the way, let’s go on to tweak your account and privacy setting to better protect the content you share and control the audience with whom you share it. Let’s look at “Account Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook Account Settings

App & Adverts

In this menu you should review the individual permissions that you have allowed the Apps that you have installed. Have a first pass through this list and remove any apps you no longer use. Then review individual permissions by clicking the Edit link next to each remaining App. Some permissions are required for an App to work but many optional permissions can be revoked here. At the same time, ensure that the App itself is not giving out too much information by changing the setting “Who can see posts and activity from this app” to “Friends” unless you have specific Apps that you wish to grant greater visibility.

Finally, in the Facebook Adverts section, change the Third party advert settings and Edit Social Advert settings to No one. The default setting here is Friends.

Protect Your Privacy

The changes to Facebook have radically changed the ways in which we can share content with our friends, friends of friends and the general public. There are two main ways to configure this privacy; when you post through the Facebook interface or when you post through a device or App that doesn’t allow per post privacy settings. To configure these settings select Privacy Settings which is accessed through the same drop down menu as above.

Facebook Privacy

The Default Privacy setting only applies to posts made through an interface or App that doesn’t support inline sharing controls. I recommend setting this to Friends, the default setting again is Public.

In the next part of this blog series, I detail some of the more specific settings for controlling how you share information and perhaps more importantly, how information is shared about you.

Part two of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

The Facebook kidnap & robbery

Rik Ferguson — Fri, 29 Jul 2011 10:05:38 +0000

In what appears to be a well-planned and pre-meditated crime the safe in a Carrefour supermarket was emptied by criminals with the help of a Facebook friendship.

At the beginning of February, the manager of the supermarket made an interesting new friend on Facebook, a girl by the name of Katrien Van Loo. The relationship blossomed and pretty soon, the victim was invited over for a cosy dinner for two, presumably to further his acquaintance with his new-found friend. This was on the 15th of February this year. Police are now releasing images in an appeal for witnesses. The Belgian Police report is here.

When the victim arrived at ten-thirty that evening, he discovered that he had in fact been lured to an empty building with the bait set by this fake Facebook profile. He was quickly overpowered by two men who gagged and blindfolded him and forced him to hand over the keys to his own apartment.

While one of the criminals stayed with the victim, the other took the stolen keys and visited the unfortunate supermarket manager’s home. He found the keys to the supermarket and left the building and while doing so was filmed on closed-circuit cameras in the building.

Suspect in Belgian burglary from CCTV footage

Shortly after midnight, the vault of the store was emptied by a third accomplice, he was also caught on camera. The suspects can be seen in video footage prepared by the Belgian police. Suspect in Belgian Facebook burglary. It is worthy of note that both suspects are left-handed.

If you recognise these suspects, or have any information regarding this crime, the Belgian authorities would love to hear from you. You can call the local toll-free number 0800 / 30.30.0 or use this online form.

If you are a Facebook user, remember, anyone can be anyone online. Never admit unknown people to your circle of trust; you jeopardise your own safety and privacy as well as that of the friends who may be posting on your wall. If you ever decide to meet a stranger, don’t repeat this guy’s mistakes. Do it first in a public place and do not go alone. Trust should be earned, not given.

If you receive a friend request from someone you don’t recognise there are a few things you can check. Do you have any friends in common? If you do not, this should raise a suspicion flag. If you can see any info on the person do you have anything else such as schools or workplaces in common? Does the profile have a photo and if so is it one that you recognise? If you cannot see any info, mutual friends or photo, it’s a definite no-no.

Even if this stuff all checks out and you are still suspicious, begin by simply sending a message to the person, asking how they know you or how they found you on Facebook. If it turns out to be a speculative friend request, my recommendation would be to ignore it and go out for a beer instead.

So secure we don’t need security?

Rik Ferguson — Wed, 25 May 2011 13:52:32 +0000

With the launch announcements of various Google Chrome netbooks, the focus of the press and security companies alike is beginning to take a closer look at the security promises made and also at some of the more, um… media friendly statements such as “users don’t have to deal with viruses, malware and security updates”.

Let’s have a look at some of the security features of Chrome OS:

1 – Get out of my playpen. Each process runs in its own sandbox, effectively this means that if an application is malicious or compromised it is unable to interact with or otherwise affect other applications or processes on the system.

2 – Always up-to-date. Automatic updating, patches or feature updates will be downloaded and installed by default, this is a mandatory process designed to stop the user from opting themselves out of security.

3 – Always start with a clean slate. When Chrome OS is started up, it will check the integrity and validity of system files and if it detects any anomaly or unauthorised change, the system will revert to the known-good state, effectively neutralising any suspect activity at every reboot. The separation of user files and system files makes this a simple and effective process.

4 – (Almost) No desktop applications. Every application in Chrome OS will run inside the browser, discrete desktop applications will simply not exist; all apps are effectively web apps. The OS does afford the possibility of browser plug-ins locally so the end user still has some influence over the operating environment. These plug-ins of course will be sandboxed. Google has recently made a Software Development Kit available for the creation of Chrome “Native Apps”

5 – Nothing to see here. No user data is stored locally on Chrome machines. All user data is stored in the cloud and encrypted, theoretically data theft by malware or intrusion is made more complex.

So, what do I think? Well, the existence of the SDK seems to demonstrate that the “sterile environment” of an out-of-the-box Chrome netbook, may be about as long lived as an untouched Android device. Of course the sandboxing technology is designed to ensure that even a bad native app can’t misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few), while the Google sandbox is effective, it is not impenetrable and to rely on it for 100% security would be short-sighted.

As regards the notion of the operating system always reverting to a known good state at reboot and the security afforded by encrypted data being stored in Google’s cloud, well surely that’s just moving the goalposts for the bad guys. For much of today’s malware, one of the primary goals is persistence. This will be much more difficult (see how I hesitate to say impossible) in the Chrome environment, so the motivation will shift. If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud, after all I’ve got your keys now, I don’t need your PC anymore. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised.

While I applaud the impressive advances in security that are apparent in Chrome OS, to a certain extent we are seeing marketing history repeat itself. How often did the mantra that MacOS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into MacOS?

Criminal activity extends far beyond file-based threats, encompassing social engineering, phishing, social networks and email borne threats. The palette is continually expanding and the techniques are continually evolving, to assure your customers that they will not have to deal with online cybercrime, simply by switching OS is foolish to say the least.

Osama lives again on Facebook

Rik Ferguson — Mon, 02 May 2011 17:28:54 +0000

Criminals are wasting no time in harnessing the undeniable impact of the news of Osama Bin Laden’s death to bait familiar old traps on facebook.

I just got a call from, let’s call him “a concerned family member”, after he had been taken in by a facebook “chat virus”.

The infection chain started with a chat message from a friend, the message read “watch the video of them killing osama bin laden live! ” and was accompanied by a link. The message began with the victim’s real name giving it added credibility.

The link leads to a page that may look familiar to those of you who keep up with this sort of thing, but as my br… um… concerned family member can attest, it still fools the unwary.

The instructions on the page inform the unfortunate mark that in order to view the supposed execution video, they need to paste the “video code” into the address bar of the browser. This may seem an unusual request in the context of a blog post, but when the recommendation comes to you in a live chat message from a friend you know and trust, your spider senses may not be tingling quite so much.

The code that you are pasting into your address bar is a JavaScript that simply calls a second JavaScript file hosted on a compromised but otherwise innocent website. The second file enumerates all your friends and sends them chat messages, creates an event to which all your friends are invited and continually updates your facebook status. Meaning that the video link is immediately posted to your facebook wall to entice other unwary facebookers and spammed out in personalised chat messages and event invitations to your nearest and dearest (well, your Facebook friends anyway).

The tactics used are exactly the same as in many of the “Profile Spy”, or “See who views your profile” scams that do the rounds so often, in fact the offending JavaScript file in this instance even contains the line “var eventdesc = ‘Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! -” suggesting that this represents nothing more than a rebaited trap.

But hey, there’s an old saying in Tennessee – I know it’s in Texas, it’s probably in Tennessee – that says, fool me once, shame on … shame on you. It fool me. We can’t get fooled again (with thanks to GWB)

What do we learn from this? I guess the simplest lesson is, if you receive an unsolicited link from someone, even someone you know, check with them first before you click. You never know, you could be doing them a favour and letting them know they have been duped. And NEVER paste ANYTHING that is not a URL into your browser address bar.

It is also worth noting that this is not the only Osama scam currently spreading on Facebook, I also spotted many iterations of a second attack that uses clickjacking in the form of a bogus CAPTCHA to fool users into posting the bait to their own walls.

70 million customers affected by the Sony breach

Rik Ferguson — Wed, 27 Apr 2011 07:28:18 +0000

The most recent update update from Sony unfortunately confirms the worst fears of many. Between April 17th and 19th an “unauthorised person” gained access to the personal information of Sony’s more than 70 million customers. The information confirmed stolen is as follows:

– Name
– Address
– Email address
– date of birth
– PlayStation Network/QRiocity login name and password and online ID

Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.

Data mining for bad guys

Rik Ferguson — Tue, 05 Apr 2011 09:22:24 +0000

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind, the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.

The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.

No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.

Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.

Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.

Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.

The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.

It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.

So, for those affected by this breach, (note to self):

Pay careful attention to emails your receive in the coming months, perhaps years.
Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.