Marketing as Usual? Not a chance. – Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen. 

Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. CAUCE has drawn the a list of  from news reports (below)

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

  • Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December.  I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.
  • Two-factor authentication must be implemented for ESP system access for both staff and clients.
  • Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.
  • ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.
  • ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week

“SilverPop did not respond to requests for comment” – Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

  • Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.
  • Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.
  • Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies