Skip to content

Bit9

← Back to Blog
7 Apr 2011

Epsilon: Front Door is Easiest Entry – Despite Endpoint Security

Harry Sverdlove

 

The Epsilon attack should be a wake-up call that targeted attacks are the wave of the future.

Unlike the recent RSA breach, where the data stolen may be used in ways we have not yet imagined, we can draw a clear line of attack with the Epsilon breach. Like the RSA attack, this attack is only one stage in a multi-phase and long-term approach to infiltrate organizations. What the attackers have learned is that, sometimes, the old ways are the best ways. As security technologies have improved over the years, it is harder to successfully and silently breach company perimeters. Why not simply walk through the front door? That’s exactly what spear-phishing involves. No matter how much we have tried to educate people on best practices, the majority of users will click on any document or link if sent from a person or organization they know and trust. The victim becomes a willing participant in their own attack.

It used to be that attackers would simply spam any email address they could get their hands on, with dire warnings or false promises. Those types of emails were easy to spot; you’re less likely to open an email from “Acme Bank” if you don’t even have an account there. Their effectiveness was less than 1%. But if the email appears to come from your personal bank, and to the same email address you use at the bank, the effectiveness jumps exponentially. Depending on how specific the target, and the content of the message, effectiveness can be anywhere from 10% to 70%. These are staggering numbers and the attackers have taken notice.

The Epsilon breach has exposed millions of email addresses which can be associated with dozens of specific companies. This is a target rich platform from which to launch spear-phishing attacks. Combine this with data that can be combed about almost anyone using simply social networking, and you have an extremely effective weapon to target individuals and companies. For example, let’s say I know your name and email address, and you are registered with Best Buy (thanks to the Epsilon breach). Maybe you just posted on Facebook a picture of your brand new TV. I can now craft an email, appearing to come from Best Buy, thanking you for your new purchase with a link to receive 10% off your next purchase. What are the chances you will click that link? If I’m targeting a specific company, I can correlate my stolen list with an employee list (or just look for specific domain names in the email addresses), and cherry pick a set of individuals to target. All I need is to get on one computer.

While both security technologies and malware have advanced over the years, the front door is still the easiest way in as long as there is a person willing to hold the door open for you.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US