Report: End-user ignorance at Epsilon let hackers steal customer data

Epsilon was warned of imminent socially engineered attacks four months ago but was still unable to defend against breach

The hackers who managed to steal millions of customer email addresses from marketing giant Epsilon did so by exploiting what is arguably the weakest link in IT security: end-user ignorance or, perhaps more aptly, inadequate end-user training.

ITNews reported today that the perpetrators of the data heist, which affected customers of numerous large corporations across an array of industries, got a foot in the door through successful social engineering attacks targeting Epsilon employees.

According to the report, Epsilon was warned of a concerted phishing and hacking attack on the mailing list industry four months ago by ReturnPath, a monitoring and authentication services vendor for email service providers.

That revelation raises the question of whether Epsilon took the threat seriously enough to alert and educate end-users about recognizing socially engineered attacks. Experts have warned about this type of attack for years now, recommending that companies train end-users to be mindful of them. Meanwhile, the hacker community has made no secret about the effectiveness of this form of attack, going so far as to include a social engineering contest at DefCon last year.

In the case of Epsilon, hackers used email-based phishing attacks to target employees. The messages were written as though they were from real-life acquaintances of the targets and included such details as the target's place of business, thus making them appear believable. The messages also included links -- for example, to a website to view the spoofed contact's supposed wedding pictures -- which instead led the employee to download three malware programs: one that disabled the user's machine's antivirus software; one called iStealer, a Trojan keylogger for stealing passwords; and one called CyberGate that gave hackers remote administration rights to the infected machine.

With that level of access, it was only a matter of time before the hackers would get their hands on a motherlode of email address from customers of big-name companies like Chase, Citi, Walgreens, Brookstone, Disney Vacations, Hilton, Marriott International, Eddie Bauer, Target, Fry's, and many others.

If there's a silver lining to this massive breach, it's that it might prompt companies like Epsilon to better prepare to deal with the malicious hacker ploys of the 21st century. Today's hacker knows there's no reason to attempt to break down a door if an unsuspecting security guard will simply hand over the key when asked.

This story, "Report: End-user ignorance at Epsilon let hackers steal customer data," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.