Friday, April 08, 2011

The Epsilon Phishing Model

There is a saying "if you give a man a fish, he'll eat for a day, but if you teach a man to fish, he can feed himself for a lifetime."

In the case of the Epsilon email breach the saying might be "if you teach a man to be phished, he'll be a victim for a lifetime."

In order to illustrate my point, let's look at a few of the security flaws in the business model of email-based marketing, using Epsilon Interactive and their communications as some examples.

NOTE: Epsilon has released another Press Release to assure the public that no Personally Identifiable Information was released. The point of this article is not to argue that point, but rather to say there is something flawed in training users to click on links in emails.

Targeted Mailing Lists Help Avoid Detection

One of the advantages to phishers in using destination email addresses from the Epsilon Breach is that it helps keep their emails out of the hands of the security research and anti-phishing communities. Phishers, especially the less-skilled ones, tend to buy or steal large email address lists. Many researchers and anti-phishers (including us!) have managed to get their "spam-trap" email addresses onto those lists, which gives us visibility to spam campaigns. At UAB, as an example, we receive more than a million spam email messages each day. Some of these emails are phishing emails, which we then share with law enforcement and our strategic partners. Using a combination of automated and manual tools, we review tens of thousands of URLs each day to learn the addresses of the criminals new phishing sites. But what if a phisher only sends his phishing email to "confirmed" customer email addresses? This greatly reduces the ability of the anti-phishing community to respond to these phishing sites.

Guaranteed Delivery "From:" Addresses

Another thing a phisher would like to accomplish is to make sure that his message arrives without being blocked. Perhaps his victim is running spam filtering software. What is the first things that would be desirable? He would like his email to be sent from an address that will guarantee delivery. The easiest way to make sure that spam is delivered is to make sure that the "From:" address is in the potential victim's address book. This is why so many email messages arrive with the "from" and "to" addresses being the same. The spammers assume that you will have your own address in your address book, and therefore spam-filtering rules will not be applied to that address.

How else could they do that? Epsilon helpfully instructs their customers to add their email addresses to their address book. If a phisher now imitates those addresses, their email will bypass many phishing filters:

This email was sent to you by Ethan Allen.
Please add to your address book. This will ensure delivery to your inbox.

You are receiving this e-mail because you have requested information about CRESTOR(R) (rosuvastatin calcium) Tablets. Add to your address book so future e-mails from us will not be marked as spam.

Add to your address book to ensure delivery.

To ensure delivery to your inbox, please add to your address book.

This e-mail was sent to you by Eddie Bauer Friends. To ensure delivery to your inbox (not junk or bulk), please add to your address book.

To ensure receipt of your Red Roof RediCard emails, please add to your address book.

To ensure receipt of our emails, please add to your Contacts or Address Book.

etc . . .

So if the phisher makes his "from" address one of these "trusted" addresses, what happens?

Teach a man (or woman) to Click

One of the main pieces of advice that security professionals give to audiences and readers when they are speaking or writing about the topic of phishing is DO NOT CLICK ON LINKS IN YOUR EMAIL!

This is exactly the opposite advice that customers in the Epsilon databases receive. Epsilon and other email senders work on the theory of full-visibility communications. They know which email messages they send to which users, and they prove their value to the companies they represent by providing deep intelligence on the "click behavior" of the customers they email on behalf of those companies. Each link in an Epsilon email is customized with a URL that tells Epsilon who clicked on the link.

The whole point of emails from Epsilon is to get customers to click on links! I've truncated the URLs to protect privacy, but here's an example of one from Target. Clicking on this one takes me to their "Daily Deals. One Day Only. Always Free Shipping."

which means I can get "juniors" denim skinny jeans for $12.49 today only! (which also means my daughter probably gave my email account to Target....hmmmm.....)

Here's a few examples:

Greetings from the National Geographic Online Store!

You are invited to join an exclusive community of individuals interested in National Geographic. As a member, you will...
* Help us choose catalog covers.
* Get sneak peeks at new products we=92re considering.
* Give valuable advice to people at National Geographic who decide what products we should offer.
* Get an insider=92s view of how our catalog and online store help fund the Society's Mission programs in the areas of research,

conservation, exploration, and education.

Click here to join the NG Store Insider panel.

Now through April 10, 2011



40% OFF select styles. In-store & online.

Introducing the NY DEAL of the DAY! Extra savings on a must have style! In stores & online. Today only! The Hudson wide leg pant,
only $14.99 today only! Check our homepage every day of this sale for our new DEAL!

Shop now >

Today Only! Save 30% at Gap Outlet

To get this coupon, copy and paste this url:


Fun, cool stuff at amazing prices, available for one day only.

Shop Now:

Doctor Who in America for the Very First Time
April 6, 2011
Doctor Who: Brand New Season
The Tardis is hopping the pond and the stakes have never been higher. =


The statement for your account ending in 4616 is now available online.
Log in to Online Banking to view your statement and pay your bill.
Please visit

The point of every one of those emails is HEY YOU! CLICK ON THIS LINK!!!

The Warnings & The Future

If you live in the United States and you have ever used a credit card, your inbox is already flooded with Epsilon notices, so I hesitate to show you very many. We've heard of warnings from more than fifty companies, and personally seen the warnings from at least:

1-800-Flowers begin_of_the_skype_highlighting              1-800-Flowers      end_of_the_skype_highlighting
Abe Books
AIR MILES Reward Program
Ameriprise Financial
Barclays Bank of Delaware (US Airways Dividend Miles MasterCard, DIRECTV Rewards, iTunes Rewards, LLBean etc... )
Capital One
Citibank (AT&T Universal Card, Exxon Mobile, Home Depot, Shell)
Disney Destinations
Eddie Bauer
Ethan Allen
Hilton Honors
Lacoste USA
McKinsey Quarterly
M&T Bank
New York & Company
Red Roof Inn
Tastefully Simple
TD Ameritrade
World Financial Network National Bank (WFNNB) (Ann Taylor, Catherine's, Chadwick's, Eddie Bauer, Gander Mountain, HSN, Maurice's, Newport News, Peeble's, The RoomPlace, United Retail Group, Victoria's Secret, Woman Within)

The warnings are missing the point of MY warning. All of them assure you that they aren't going to ask you for your personal information, and that your personal information hasn't been lost, "only your email address."

They tell you though NOT TO OPEN EMAILS FROM PEOPLE YOU DON'T KNOW. I don't know anyone named "" and I certainly don't know anyone named ""

Of course that also misses entirely the fact that ANYONE can make their "From:" email anything they would like it to be! Email is not a form of trusted communication! So, how does the end-user know that the email really came from a real sender? Its a growing problem. Certain vendors have had luck with certain large mail providers -- for example eBay and Gmail. Because eBay signs all of their outbound email with a "digital signature" and Gmail knows what digital signature eBay uses, Gmail will reject any email that claims to be from eBay but really isn't.

There is a whole association, The Online Trust Alliance, filled with great companies dedicated to trying to fix this problem, but where they stand right now is that acceptance has been limited, and "traditional" email solutions don't come out of the box with the ability to interact richly with these forms of signatures and authentications.

Imagine for example that you are a global brand with more than 500,000 employees. In order to "turn on" digital authentication, you have to make sure that every single email sent by any of your 500,000 employees has a valid "digital signature" that proves the email really came from you! On the other end of the spectrum, if everyone locks down their email clients to only allow emails that are signed and certified, emails from individuals like you and me are likely to be thrown away!

In the meantime, we're stuck with imperfect solutions -- the need of the corporation to get their messages delivered and clicked on -- and the need of the consumer to NOT CLICK on messages that may lead to malware infections.

One-Click Malware - Drive-By Infections

Kaspersky Labs had a recent headline on this topic: Malware in February: Cybercriminals Perfect Drive-By Tactics.

In most of the top reported malware for February, the infection method was to convince a user to click on a link which took them to a "poisoned" webpage -- one on which some hostile code was present that could take advantage of security flaws in the webpage visitor's browser, PDF reader, flash player, or other code to place malware on the visitor's computer. Kasperky's February Report showed more than 70 million times where a Kaspersky customer had tried to visit a website that would have infected their computer if they had not been blocked!

The Warnings in the Epsilon Breaches can't warn you of that though. If they gave you the advice I would give you, they would be saying "Please don't click on the things our marketing department sends you!" which would result in them losing their jobs.

I have to say that the Citibank group of warnings do have a form that I appreciate.

As a means of proving email is REALLY from them, they provide the final four digits of your account number, your name, and the year you joined their card program on all of their official emails. I have to say that I find this very effective.

Unfortunately, yet another problem at Bigfoot/Epsilon ruined my joy on this one for today:

The error tells me "Secure Connection Failed" " uses an invalid security certificate ... This could be a problem with the server's configuration or it could be someone trying to impersonate the server."

It's probably just something wrong as they try to re-issue security certificates related to tightening up their shop, but still it sends the wrong message at a critical time for their company!

1 comment:

  1. A smallish campaign with a homemade list would not be likely to yield much of a result. To achieve anything worthwhile, a much more aggressive effort is needed. Then, the age-old value analysis applies: projected earnings = margin on total projected sales - cost of campaign.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.