December 15, 2010

McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations. From that story:

“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.”

Artist haven deviantART also disclosed this week that its e-mail database — including 13 million addresses — had been hacked. deviantART blamed the breach on SilverPop Systems Inc., an e-mail marketing firm with whom it partners.

McDonald’s said its data spill was due to hacked computer systems operated by an e-mail database management firm hired by its longtime business partner Arc Worldwide, a marketing services arm of advertising firm Leo Burnett. Contacted by phone, Arc Worldwide President William Rosen referred all questions to another employee, who declined to return calls seeking comment.

Walgreens didn’t name the source of the breach, but said it was due to “unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data.” Interestingly, Arc Worldwide stated in a July 27, 2009 press release that Walgreens had chosen it as the promotion marketing agency of record.

As I was putting this blog post together, I read a story by The Register reporter Dan Goodin that cited an FBI agent who tied a thread  between all of the breaches. Goodin reported that FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems. From that piece:

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

In other words, it’s fair to say we can expect plenty more of these disclosures in the days and weeks ahead. The other thing to keep in mind is that while the customer data at issue in these breach disclosures isn’t exactly super-sensitive — e-mail addresses and birthdays, for example — this information can enable skilled attackers to be more convincing in posing as the victim company in a bid to extract even more useful customer data, such as passwords. One need only look to the recent breach at Gawker Media — which exposed passwords and user names of 1.3 million users — to see how often users recycle passwords across a large number of Web sites.

Update, Dec. 16, 5:01 p.m. ET: SilverPop CEO Bill Nussey has published a brief response to the incident on the company’s blog.

29 thoughts on “Fallout from Recent Spear Phishing Attacks?

  1. JS

    I cant exactly follow the thread but realize that:

    Many consumers don’t realize how much “marketing” is outsourced and re-oursourced by the primary company.

    Did I get it right?

    1) Business X sets up a marketing agreement with Y which then outsources email campaign to Z.
    2) Then Z’s employees are methodically targeted to be compromised. When Z’s employees are compromised this spills data out of Z.
    3) This spilled data is then used to compromise business X and Customers of X with other targeted methods.

    Z is the lowest common denominator to X, X1, X2, X3…. and/or Y1, Y2, Y3…

    Is that the chain of events or am I misreading?

    Also I don’t see T&Cs at Mc’Ds about how far any customer or customer demographic info may be shared with subcontractors & partners. However they wrote it so it can be overridden at times with fineprint

    walmart is a bit more verbose

    Perhaps these and previous breaches will be a new basis for consumer rights limiting how many vendor/partners away from the primary business can collect & hold customer data.

    I doubt anyone giving Mc’D an email address thought it would be past down the line through 2 companies.

    What about the other 98 companies of the 100? Somewhere there is a hush up. Perhaps in the banking sector? Perhaps linked to what was found in the ZeuS raids?

    Great work Brian! Keep them on their toes!

      1. Alex

        No, гы-гы-гы.
        Good joke, Brian. My brain is not enough to write such article.

  2. AlphaCentauri

    There’s nothing sinister in McDonalds outsourcing their email marketing. Their business is selling hamburgers. Doing email marketing is a specialized field. Even among companies for which it is a core business, not all do even a minimally competent job.

    Mickie D’s at least picked a firm that doesn’t spam people randomly the way Kraft Foods’ Gevalia Coffee division does. But given the fact that the whole reason they are choosing an outside company to do their email marketing is because they don’t have the competence to do it in-house, you have to assume there are also limits to how well they can assess their consultant’s ability to maintain the security of the database.

    At some point, everyone must consult with an expert who knows more than they do. They can check references and reputation and do the due diligence, but in the end they have to trust that consultant has not overlooked any important details.

    1. JS

      Rigil Kentaurus,

      Your points are always valid and insightful.

      For sure there is always the business of business: delegating authority and responsibility to get real work done.

      However one can’t ever avoid accountability by saying, it was the vendor!

      I think one thing yet overlooked here is that SilverPop’s methodology may have been what attracted the criminals in the first place because they were seeking to leverage the options end users “trust.”

      SilverPop has a branded mechanism for interaction by endusers to opt in/out of a marketing campaign.

      Given enough redirection, local Trojans, DNS cache poisoning, it could start to cover a lot of criminal activity under the guise of opt in/out of emails apparently from a legit business just by clicking the opt in/out directions traditionally given to end consumers at the of an email..

      Why pick a lock when you can convince somebody they are locking the door but in reality opening it up.

      1. Louis Leahy

        Point is well made and it is why it is so important to ensure that each password is unique for each user for each site. (This was my point earlier about the technology we have developed which I note has been dismissed by apparently the majority on this forum). There was a survey conducted by Bitdefender of 250,000 social network users which found that 75% used the same password for multiple accounts. Sure we can be arrogant and say those users are foolish but in reality the systems should be designed to protect users who don’t understand, if network owners do not start implementing systems to protect user privacy then legislators are going to start making laws to compel them to do it.

      2. AlphaCentauri

        @JS, yes they are ethically and legally responsible for the actions of their subcontractors. On the other hand, will I castigate them because they got burned? No, because there, but for the grace of (insert deity of choice here), go I.

  3. N3UJJ

    I Find it very interesting that SilverPop has no mention of this on their website, or facebook page. Like they are hiding it happened.

  4. xAdmin

    Pfft! Marketers! One would be wise to not so readily give them the ammo in which to shoot you with. }:-{

    I’m always wary of giving out much personal information to anyone whether in person or online. I especially loathe the cashier in store asking for my phone # or e-mail address. I’ve seen many people readily hand over the info without a thought as to why the store needs it. Again, pfft, marketers!! They have enough info on you already, no need to voluntarily provide any more!

  5. DaveMich

    Who signs up with McDonalds or Walgreens using their primary email address anyway? Even casual internet users eventually figure out that you need more than one email address – one for people you know and trust, and one for everyone else.

  6. Mike Angelinovich

    Fallout from Recent Spear Phishing Attacks?

    Regarding, “posing as the victim company in a bid to extract even more useful customer data, such as passwords”, as such an attack is easily prevented even if a person gives out their credentials. Any company under the protection of an authentication solution such as SoundPass, stealing usernames & passwords becomes useless. Why? Because access also requires the virtual (credential) token, which the user has no control over and therefore it prevents any type of Phishing attack.

    Good Article!

    1. Louis Leahy

      Tokens are good systems but with the current authentication topology they can be circumvented.
      There is a good discussion about it here
      They are also complex for users to implement and add extra layers of cost that many network owners e.g. non-profit sector, could not justify or pass on to users. The password creation and entry issue has to be fixed and it needs to be simple to implement from a users perspective and protect them from making obvious mistakes and it should not allow the thief access if they get control of the user devices.

  7. mark evertz

    Nice post. You know what I notice when companies report these breaches is the immediate defensive position that…”hey it’s just e-mail. No sensitive data or SSNs were accessed.”

    I don’t know about the rest of you, but I’m not particularly cool with crafty cyber attackers knowing my e-mail address or, in the case of the McDonald’s breach, my home address. “Mr. Evertz you’ve won a Free CD Series on Cyber Security..just load it up on your computer!”

    Brian, I’d be interested in your take on this. With complex phishing attacks helping infest unknowing end users in corporations and at home — and even poorer practices with people using weak password and re-purposing across a multitude of accounts — See Gawker breach — e-mail addresses need to have a seat at the sensitive data table or at least the kiddie table off to the side. And corporations need to be educated that any breach is a big deal.

    As always great stuff and keep up the good fight.

  8. Mike Angelinovich

    Louis Leahy

    SoundPass is simple and new technology, so we are not talking about a hardware token, which as you say can be circumvented, plus adds cost, and user confusion. SoundPass automatically generates a dynamic software credential, from the user’s PC, which is sent with the user’s login credentials. So the user owns it but does not control it nor knows what it is. Therefore, the user can not give it away even if he tried. SoundPass is one of the strongest and most affordable MFA security solutions available. Nothing is added to the user’s PC and SoundPass is fully portable. SoundPass can not be Keylogged either because you can not swipe what you don’t type. (Zeus, for example, uses a real-time Keylogger.) There are many more security features but I am not trying to plug SoundPass, I am just stating that there are simple and affordable solutions available, which can easily prevent the types of attacks discussed in this article.

    1. AlphaCentauri

      Does that address the man-in-the-middle aspect, where ZeuS captures any data transmitted through the spoofed website, not just keystrokes?

  9. Louis Leahy

    Irrespective of whether the code is emanating from the one device or multiple devices the issue is that it is coming from a device in the clients control and consequently it is vulnerable to impersonation particularly if the traditional authentication topology is relied on. A common occurrence for such a breach will be internal fraud it will be someone close to the victim. I didn’t think it was what the article was primarily focused on the issue I thought it was the vulnerability caused by replication of a password hence my initial comment (which I thought was relevant but who knows). On windows computers it is astounding how easy it is to get access and then locate password strings and crack them. If you can’t access the user account you can reissue the admin password and then reissue a new account password to the user. Once on that system if the programming has not been executed correctly on the network server the access credentials may be accessible. One of the ways I have seen is on a lap-top the logon details were found in the hibernation file. Anyway I think additional security like that is good but not as invincible as some think and it is only a matter of time if implemented widely that this becomes more apparent. If you look at the recent Verizon 2010 Data Breach report that research (which I think may include a large amount of data from Secret Service events investigated) it shows that the cases in which most losses are incurred are in situations where the credentials have been secured. When you think about it this is obvious because it is far easier to be an actor if you can log on as a legitimate user than leaving evidence in logs from a clumsy hack. At present the most common way for crims appears to be simply tricking unsuspecting victims into turning on their remote desktop. In our own household we would have received about 6 voip calls in the last few months from actors claiming to be from our ISP support team trying to talk us into giving them access to our computer so they can remove damaging malware, they are very brazen and very convincing. Anyway I had better go home or I will be in the dog house.

  10. Mike Angelinovich

    Louis Leahy

    You are right, that is why SoundPass was designed to take it OUT from under the client’s control.

  11. Mike Angelinovich


    SoundPass contains built-in checks against “Man-in the Middle” attacks. The client applet and the server dll run checks to verify that the client is communicating directly with the intended server.

    The client applet can optionally display a keypad, allowing the user to supply a key using only the mouse. That key is only stored in the user’s head, which adds another level of security.

  12. Louis Leahy

    Mike you say you have removed it from the client control but your press releases claim that the client can turn it on or turn it off and can copy and install on any device? If it resides on the client device it is in the clients control which means it is vulnerable.

  13. Mike Angelinovich

    Louis Leahy,

    We did design SoundPass to be enabled or disabled by a user to match our original OnhandID hardware smart card or token design, which some Credit Unions requested in order to allow members an opportunity to get familiar with using more than just Username and Password, as SoundPass has an optional Screen Pad feature. However, SoundPass has never been implemented to allow the enable/disable feature.
    Software authentication solutions in the past have had two major problems. The first and really big problem was it did not offer portability. The second was that software had to be distributed and down loaded by the user onto their computer. So we designed the SoundPass software to only reside on the authentication server.

    On the last time a user accesses their online account using their original Login method, the authentication server will automatically send the user a SoundPass Java applet and the user will simply follow the steps to generate their SoundPass token, which can reside in the user’s client or any portable device.

    The value of the token never changes and is never passed to the server. However, the information passed to the server is never the same, creating a one-time-use key, valid only once. The screen pad user-supplied key that is used to encrypt and decrypt the token file is never stored, making it difficult to compromise the actual token. This prevents an attacker from using the information captured from the stored token file from a lost thumb drive, Trojan attack, etc.

    The solution contains built-in checks against “Man-in the Middle” attacks. The client applet and the server dll run checks to verify that the client is communicating directly with the intended server. The information exchanged between the server and the client provides a built-in design feature that defeats “Replay” attacks.

    The encrypted token file can be stored on a user-supplied USB thumb drive or PDA, effectively creating a 100% Hardware Token solution without having to deploy unique hardware.

    So the user never knows the information that is being sent from the Java applet to the server, nor does the user enter any of that information being sent. So the user is totally removed and can not be Phished and there is nothing to be Keylogged. I am not aware of any other solution with this level of MFA security. Furthermore, it is user friendly and very affordable.

  14. Louis Leahy

    Mike you have confirmed what I said, the client has control over the process. An attacker can gain access to the network if they secure the login credentials of a user on the client device to gain access to the network and use the client device with your token installed. That is the issue the authentication if you are using the traditional user name and password configuration your system is easily compromised by people who don’t even have to have any particularly cleaver technical skills once on that device they will find the codes used and if not they can run a phishing, smishing, vishing exercise to get them which may in fact occur before a breach is attempted and how the device is compromised in the first place. I don’t think the claim the system is not susceptible to phishing is valid. The attacker will already have those user codes before they attempt to access the network your systems reside on as they will have secured them by fooling the client user or finding them on their client device or as the article explained perhaps by being aware of passwords the target has previously used, hence my original comment which appears to be unacceptable on this forum but I think it is critical to any solution that seeks to significantly improve security on the web. Anyway I still think what you are doing is great stuff and it’s just that there are more pieces to the puzzle. That’s why I tune in to Krebs there are always really good comments from some very knowledgeable and experienced people to the extent that the trolls can be ignored.

  15. Mike Angelinovich

    Louis Leahy,

    I am not clear on what you are trying to say but it is late so maybe it is just me.

    However, let’s look at what is going on today and perhaps it will make it easier to understand. SoundPass is a MFA solution being used to authenticate online bank accounts across the nation. Let’s say a user does login using a Username & Password. That is absolutely Phishable and Keylogable. So now the Hacker has the user entered login credentials. These credentials are not enough to open that user’s bank account. Why? Because it requires an additional SoundPass credential sent to the authentication server by the computer (not the user). Only the authentication server will be able to verify that credential sent by the computer, which is hashed and is different every time.

    So how is it possible to Phish that SoundPass credential? Even if you held a gun to my head I could not tell you what that SoundPass credential is because I don’t know. Zeus, for example, can not Keylog it either because I did not type it.

    Finding a lost Memory Stick storing the encrypted user token would not be any good even if you could determined what it is and who it belongs to and you were able to then steal their personal credentials, plus you would need the screen pad key, which is not stored anywhere. Meanwhile, the person who lost their token would have generated a new one to be able to access their online account and the lost token would no longer be valid.

    I am not aware of any Trojan exploit today that could find the encrypted user token or know what it is, and if that token is even stored in the user’s computer because each user may elect to store it differently. If there is such a Trojan, then only the screen pad key can decipher that token and that key is not stored anywhere. Lastly, in order to generate a new screen pad key, you must access your account first, so you must be a member and call into your Bank to access your account, in-which you will have to authenticate yourself.

    By the way, SoundPass has had attempts by Zeus to break into member online bank accounts and failed.

    An interesting side note: SoundPass prevented an approved Vendor’s Mobile Banking System from working because it was set up to legally act as a MITM to allow users to access their accounts on the phone. SoundPass was designed to prevent such an attack and that Vendor had to take their product elsewhere.

  16. Louis Leahy

    Mike you have confirmed that the network is identifying the computer that is the issue if the computer is owned then so is the token, the token is only effective if the authentication is effective. Krebs is continually reminding us the best way to protect computer banking not to use that computer for anything else. If the authentication routines are not properly designed the password can be hacked, changed, phished, smished, vished or spear phished. The reverse is not true ie good authentication can work without a token but of course the ideal scenario is to have both the issues then however are complexity, costs, scalability, latency etc. So the token is not going to be the solution for the majority of network situations it really is only a solution for high value assets where the costs be they direct or indirect can be justified.

    1. Tony Smit

      “Krebs is continually reminding us the best way to protect computer banking not to use that computer for anything else.”

      One thing users need to do is keep a log of every time they access their banking account, and what transactions they undertook. Having written records seperate from the “bank’s records” will show the person/business is paying attention to their bank transactions.

      Single computer, with a written log book. Very simple for most small businesses.

      1. Mike Angelinovich

        1. Companys who need to Bank online should use a dedicated computer to do their banking transactions.
        It is NOT realistic that the average individual can afford to buy a computer and dedicate it to only banking activities.

        2. A dedicated computer used only for online banking does not mean you are 100% protected. That computer and the Banks authentication security still need to properly protect the user.

Comments are closed.