U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.
A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters, KrebsOnSecurity.com has learned.
The attack appears to be the latest salvo from ZeuS malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing financial data and documents from victim machines. This activity is unusual because most criminals using ZeuS are interested in money-making activities – such as stealing banking passwords and creating botnets – whereas the hoovering up of sensitive government documents is typically associated with threats from China that are deployed to gather industrial or military intelligence.
McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.