There has been a lot of talk in the security industry surrounding the recent data breach experienced by database marketing vendor Epsilon. As detailed in the reports, the company’s email system was broken into, enabling the attacker to obtain information such as names and email addresses associated with Epsilon’s customers. Trend Micro Researcher Rik Ferguson listed a number of the affected customers in his CounterMeasures blog entry here.
Last year, I talked about how users are not fully aware of the consequences of getting their email account compromised, as well as how such instances could lead to information and identity theft, and I think that the points I raised then are things that users — especially those affected by the breach — should fully understand. While this breach did not contain user passwords as well as email accounts, a number of risk still exist.
In many ways, our email account is like the backbone of our online profile. Regardless of how much we favor social media in terms of communicating (as opposed to email), most if not all social media channels require users to sign up using an email account before being able to communicate at all. More importantly, transactions related to online banking, online shopping, and booking for flights or hotel accommodations are all dependent on the user having a valid email account to which important information can be sent. Needless to say, email accounts contain valuable and personal information and should be secured appropriately.
Now, considering the nature of information exposed by the breach, its effect is quite comparable to an attacker getting a sneak peek of the contents of users’ inboxes. While the attacker is not able to directly access the victims email account, they do know some of the types of email the users typically receive (in relation to whichever Epsilon customer the user is associated with). This places the affected users at greater risk of being victimized by many known web threats such as spear phishing, and spam attacks.
Under such circumstances, users — whether affected by the breach or not — are strongly recommended to take action and apply means to secure their email addresses as soon as possible. Steps to do so may include:
- Make sure you don’t use publicly available information in the password-recovery process of your email provider — it was mentioned that “only” names and email addresses were acquired by the attackers during the breach. However, this may not stop them from trying to break into the email addresses through different means, one of the likely means being the password-recovery process.
- Do not reuse passwords for different accounts, be they email, social networks or anything else — in relation to the first tip, if an attacker is successfully able to break into the user’s email account, the attacker may try to use the credentials to log into other accounts such as social networks, in the hope of accessing them as well.
- Make sure your password is complex enough to prevent casual brute-forcing, and change them regularly — using brute-force attacks to break into accounts is a technique commonly used by criminals. Thus, using fairly complex passwords can provide added protection, and prevent attackers from easily breaking into users’ accounts.
- Be extra cautious of email messages asking to click links or confirm personal information. Phishing attacks, in particular the email components, are crafted to make them appear legitimate and to persuade you to follow their instructions. A better alternative is to go directly to a trusted website and conduct your business there.
- Use a password manager to store passwords securely. This has the additional benefit of allowing you to use extremely complex passwords with all sorts of random letters, numbers and symbols that you might not be able to memorize.
Most importantly, users should always follow online behavior best practices. Bear in mind that similar threats are out there and are likely to appear again. It is just when we think everything is safe that we may fall victim to yet another malicious scheme.
Post from: TrendLabs | Malware Blog – by Trend Micro
Email Security After the Epsilon Incident
