Amol Sarwate, Qualys: Epsilon Breach - Protect Yourself Against Suspicious Emails
April 2011 by Amol Sarwate, vulnerabilities lab manager, Qualys
Last Friday, hackers stole customer files from Epsilon, a subsidiary of Alliance Data Systems Corp. whose clients include major banks, retailers and educational groups. Although it currently seems that no financial information was exposed, names and e-mail addresses seem to have been obtained.
‘Phishing’ scams are the number one concern from this breach. Hackers could send fake e-mails pretending to be your bank, pharmacy, hotel or any business that was a customer of Epsilon. The e-mail could look real and be convincing as attackers have the customer names and the company information that they did business with. The e-mail could ask unsuspecting users to click on a link which can ask for credit card numbers, run malware, install spyware or carry out other attacks.
Users must be extremely careful about opening or clicking links from e-mails. Here are things to look for in emails before determining what to do:
1. Does my institution usually send me an e-mail?
If customers only get monthly statement reminders via e-mail, they should be cautious about any out-of-band e-mail.
2. Does my institution ask me to click on links in an e-mail?
It is dangerous to click on links received in e-mails. A safer approach to visit your institution website is by typing the URL manually or saving the URL in your favorites.
3. Is my institution asking me personal information like SSN, Credit card numbers etc?
If a web page that was opened as a result of an e-mail link is asking this information, most probably it is a fraud.
4. Does this e-mail really come from my institution?
Due to the nature of how e-mail works it is not possible for everyday users to distinguish between e-mail sent by their institution or by hackers. Users should not trust e-mails even if they have official logos or when the color scheme and other look-and-feel elements look exactly like their institution. It is very easy to use these human elements and trick the brain to the impulse of clicking. After all it just takes one click for a compromise.