Cybercriminals Steals Verified Active Email Addresses To Target With Spam And Phishing Attacks

By Author: EC-COUNCIL
Total Articles: 68
Comment this article

In an effort to enhance online security and privacy, the Obama administration has proposed Americans obtain a single ID for all Internet sales and banking activity. But a new Rasmussen Reports poll finds most Americans want nothing to do with such an ID if the government is the one to issue it and hold the information.
Common security issues such as using one password for personal and business accounts, not having at least two-factor authentication for access into important databases, and utilizing work e-mail in transactions with banks and other businesses can lead to phishing attacks and ultimately data theft.
The Rasmussen Reports survey shows that just 13% of American Adults favor the issuing of a secure government credential to replace all traditional password protection systems for online sales and banking activities. Sixty percent (60%) oppose such a credential. Twenty-seven percent (27%) are not sure. Only eight percent (8%) of Americans would be willing to submit their personal financial and purchasing information to the government or a government contractor to receive a secure government credential for ...
... online transactions. Seventy-six percent (76%) would not be willing to submit this information for that purpose. Sixteen percent (16%) are undecided.
“If a criminal finds your e-mail address and it is at a county government, they now know where you work and then can go on the Internet and find businesses that you work with to craft a really targeted phishing message,” said Steve Dispensa, chief technology officer and co-founder of PhoneFactor Inc., a provider of phone-based, two-factor authentication services.
In addition, government employees and users that may be affected by the Epsilon breach might not be receiving the warning messages that individual companies that have utilized Epsilon are sending to customers. So people may think they are not at risk for any increased phishing activities, when in fact they are.

Security experts are warning users to brace for a tidal wave of more precise spear phishing attacks because of Epsilon’s data breach incident. Epsilon is responsible for sending more than 40 billion marketing emails per year on behalf of its 2500-plus customers. These emails are not spam in the Rustock botnet sense of the word. These email messages are marketing and customer communication emails from major clients such as JP Morgan Chase, Capital One, CitiGroup, and others.
The primary risk is that the attackers now have a list of millions of verified active email addresses to target with spam and phishing attacks. If the attackers were able to get not just the email address, but also its affiliation with one of Epsilon's customers, it will yield much more precise spear phishing attacks. Phishing is like casting a net. Spear phishing is narrowed down to a specific domain or company. But, these attacks would be to known email addresses that are also known to have a relationship with the company.
According to Joseph Wulffenstein, division chair of quantitative studies and department chair of management information systems at Northwood University in Midland, Mich., many municipal governments outsource their e-mail services to outside organizations. These organizations could have used Epsilon for marketing purposes, further exposing educational and governmental employees. “What I noticed is that people working in smaller municipalities and local governments rely on their IT staff to worry about [network security] for them,” Wulffenstein said. “And staff seldom has any training sessions with the users to show them the things they need to be aware of.”
Hiring adequately trained IT personnel focused on network security would go a long way to minimize security threats. Organizations need to enforce robust information security initiatives, including having a proficiently skilled IT security workforce, in order to prevent cyber attacks and minimize security breaches. Information security professionals can increase their IT security knowledge and skills by embarking on advanced and highly technical training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of technically proficient information security professionals.
CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics, Advanced Application Security, Advanced Network Defense, and Cryptography, among others. These highly sought after and lab intensive information security training courses will be offered at all EC-Council hosted conferences and events, and through specially selected authorized training centers.

About EC-COUNCIL
EC-Council is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various other information security training programs offered in over 70 countries around the globe. EC-Council has trained over 80,000 individuals in technical security training and certified more than 38,000 security professionals. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals.