E-mail phishing attacks have ESPs, marketers on guard

By Published on .

Most Popular
While direct marketers are often focused strongly on such practical, everyday matters as list hygiene, segmentation and targeting, another lurking database issue—safety—is now front and center due to a massive phishing attack at the end of last year.

Possibly hundreds of companies' e-mail databases were compromised in that wave of attacks, with potentially millions of e-mail addresses and passwords stolen by parties as yet unidentified from the companies' e-mail service providers. Databases maintained by e-mail companies AWeber Communications, Return Path and Silverpop were breached but, after investigations are completed, the list of involved ESPs may be much longer.

No company affected by the breach agreed to an interview for this story, referring BtoB to official statements such as this one from Silverpop CEO Bill Nussey:

“It appears Silverpop was among several technology providers targeted as part of a broader cyber attack. We have notified all customers impacted by this activity. We are currently focused on working with our customers, especially the small percentage impacted by these events.”

Phishing is an attempt to acquire sensitive information—such as usernames, passwords and credit card details—by masquerading via e-mail (or sometimes instant messaging) as a trustworthy entity. If a recipient clicks on a fraudulent message, and perhaps shares sensitive information like a password, the sender may have enough information to enter a database.

The stolen e-mails and passwords can then be sold to other spammers, eager to send out their own sales solicitations or malware under the guise of trusted e-mail brands.

Return Path released one of the phishing e-mails it received, demonstrating how a degree of casual personalization can lure a recipient:

“Hey Neil, it's Michelle here, it has been a long time huh? how're you doing ? how's your work with Return Path? Is everything ok there? Hey, can you believe it! I got married to Brian! Yes I did.” The message continues in this vein, then lists a URL that purportedly contains recent wedding photos, but in reality leads to a site that hosts malware.

“Data was taken from us, and that security hole is now closed,” said Matt Blumberg, chairman-CEO of Return Path, in a blog post.

Blumberg added that the company quickly suspended the Internet protocols from the addresses previously certified as safe by the company, but that “millions of spam messages did make it through to a couple of the mailbox operators we work with.”

Return Path has put together a Phishing Resource Center page on its website, that includes links to the company's relevant blog posts and additional industry resources.

The year-end attacks may have been the largest ever suffered by the e-mail database industry, according to Quinn Jalli, VP-deliverability, privacy and security with marketing services company Epsilon.

“This was an attack on the industry as a whole, impacting the clients of all major service providers,” Jalli said. He added that Epsilon was not affected by the attacks, but that “it is one of the most successful phishing attacks I've ever heard of.”

Jalli said the successful breaches seemed to come through client companies, not through the ESPs themselves. So it may have been employees of such impacted companies as Honda Motor Co. and McDonald's Corp. McDonald's own notice to its customers can be viewed here.

“It takes just one employee within an organization to click on a URL by accident and provide a user name and password,” said Gerhard Eschelbeck, chief technology officer with Web security company Webroot Software. Eschelbeck agreed with Jalli that someone from outside the impacted ESPs—probably a customer—opened the digital door.

Eschelbeck stressed that technological security methods go only so far, and that employee training is essential to help close that door. He also suggested that the breaches may have come from intentional industrial sabotage, perhaps from a disgruntled employee.

The FBI, which is involved in the investigation, declined a request to be interviewed for this article.

In this article: