chicot60
04-04-2011, 11:22 PM
By Peter Svensson, Associated Press
NEW YORK — With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.
Companies behind such brands as Chase, Citi and Best Buy said over the weekend that hackers may have learned their e-mail addresses because of a security breach at a Dallas-based company called Epsilon that manages e-mail communications.
The e-mail addresses could be used to target spam. It’s also a standard tactic among online fraudsters to send e-mails to random people, purporting to be from a large bank and asking them to login in at a site that looks like the bank’s site. Instead, the fraudulent site captures their login information and uses it to access the real account.
The data breach could make these so-called “phishing” attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
David Jevans, chairman and founder of the non-profit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate phishing towards more intelligent attacks known as “spear phishing,” which rely on having more intimate knowledge of the victims.
“This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name and they have their e-mail address,” said Jevans, who is also the CEO of security company IronKey.
“You’re not going to see typical phishing where 90% of it ends up in spam traps and is easily detected. This is going to be highly targeted,” he added.
Among the affected companies are financial companies like Capital One Financial, Barclays Bank, U.S. Bancorp, Citigroup, Ameriprise Financial and JPMorgan Chase, and retailers like Best Buy, TiVo, Walgreen and Kroger.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student e-mail addresses.
Walt Disney Co.’s travel subsidiary, Disney Destinations, sent e-mails warning customers on Sunday. Hotel chain Marriott International issued a similar warning.
Epsilon said Friday that its system had been breached, exposing e-mail addresses and customer names but no other personal information.
Epsilon, a unit of Alliance Data Systems, sends more than 40 billion e-mails annually and has more than 2,500 clients.
The scale of the data breach meant that many people got warnings from multiple companies over the weekend.
Jill Kocher in Crystal Lake, Illinois, said she got at least five e-mailed warnings, including from U.S. Bank and Best Buy.
Because she works for Groupon, an Internet coupon company, she feels savvy enough to avoid any phishing come-ons, but she’s concerned for those who aren’t.
“U.S. Bank sends you an e-mail and it looks legit and you cough up the information, and now you’re in big trouble. It sure does sound like a big increase in fraud, just waiting to happen,” Kocher said.
http://www.usatoday.com/money/industries/technology/2011-04-04-e-mail-theft-phishing.htm
NEW YORK — With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.
Companies behind such brands as Chase, Citi and Best Buy said over the weekend that hackers may have learned their e-mail addresses because of a security breach at a Dallas-based company called Epsilon that manages e-mail communications.
The e-mail addresses could be used to target spam. It’s also a standard tactic among online fraudsters to send e-mails to random people, purporting to be from a large bank and asking them to login in at a site that looks like the bank’s site. Instead, the fraudulent site captures their login information and uses it to access the real account.
The data breach could make these so-called “phishing” attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
David Jevans, chairman and founder of the non-profit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate phishing towards more intelligent attacks known as “spear phishing,” which rely on having more intimate knowledge of the victims.
“This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name and they have their e-mail address,” said Jevans, who is also the CEO of security company IronKey.
“You’re not going to see typical phishing where 90% of it ends up in spam traps and is easily detected. This is going to be highly targeted,” he added.
Among the affected companies are financial companies like Capital One Financial, Barclays Bank, U.S. Bancorp, Citigroup, Ameriprise Financial and JPMorgan Chase, and retailers like Best Buy, TiVo, Walgreen and Kroger.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student e-mail addresses.
Walt Disney Co.’s travel subsidiary, Disney Destinations, sent e-mails warning customers on Sunday. Hotel chain Marriott International issued a similar warning.
Epsilon said Friday that its system had been breached, exposing e-mail addresses and customer names but no other personal information.
Epsilon, a unit of Alliance Data Systems, sends more than 40 billion e-mails annually and has more than 2,500 clients.
The scale of the data breach meant that many people got warnings from multiple companies over the weekend.
Jill Kocher in Crystal Lake, Illinois, said she got at least five e-mailed warnings, including from U.S. Bank and Best Buy.
Because she works for Groupon, an Internet coupon company, she feels savvy enough to avoid any phishing come-ons, but she’s concerned for those who aren’t.
“U.S. Bank sends you an e-mail and it looks legit and you cough up the information, and now you’re in big trouble. It sure does sound like a big increase in fraud, just waiting to happen,” Kocher said.
http://www.usatoday.com/money/industries/technology/2011-04-04-e-mail-theft-phishing.htm