Tuesday, April 19, 2011

Epsilon: What attacks could be executed with the stolen information

Nota: Este post está disponible en Español

In my last post titled “Epsilon Data Breach” I made a brief introduction to Epsilon’s incident and made some remarks on the risks that this attack implied. In this post I want to go deeper into the possible actions that the attackers could take.

One could think that the stolen information is simply names and e-mail addresses, and that these do not represent a risk. But actually, they do represent a risk to the affected companies. This information is the key to launch a variety of attacks against them or their customers.

Let us do an analysis of the different actions that attackers could perform with the information stolen:
The first action could be as simple as selling the information to Epsilon’s Competitors, which would be very valuable to them because it contains enough data to perform a direct marketing campaign. Although this action is a possibility, it does not represent an important risk to the end users affected because, in a worst case scenario, they will be victims of SPAM.

The second action could be a phishing attack. This massive social engineering attack has as primary objective to deceive its victims by obtaining certain information, like user IDs, passwords and identity data among others. How would this attack take place? It is actually quite easy, since the attacker already possesses all the information necessary about final users.  For example, the attacker could simulate a personal e-mail from the US Bank, Citi or Best Buy, stating that customers should change their password of their home banking or on-line accounts due to the Epsilon breach.  Of course, this would be performed in a web site controlled by him, where he would be able to collect the desired information.

This attack vector was the main reason that forced Epsilon’s customers to notify their own customers about the incident, since this one represents a real risk and it is well known that a Phishing attack wave is imminent.

The third action could be a Spear Phishing attack. In contrast to a traditional Phishing, this technique is targeted to a specific organization or group with the aim to achieve unauthorized access to their systems, and is normally used as part of a mayor attack (like obtaining information stored in an organization’s corporate network).

An example of an anatomy of attack that uses both this technique and the information stolen from Epsilon could be the following:
1.      
  1. The attacker will analyze the information stolen from Epsilon in order to find one or more persons that work at a company of interest (ej. Home Depot Credit Card). To achieve this goal, he will do an extensive research using search pages and social networks (i.e. Google and LinkedIn). Once he has finished their homework, he will end up with a list of persons (victims) , that work at the targeted company, and another list of services / preferences that these people use (i.e. account at US Bank or Citigroup).
  2. Once he has the list of victims, he will design the fake e-mails. The success key factor here will be the information stolen from Epsilon, since it will give the con a feeling of authenticity. The e-mail will also contain an attachment that will exploit a known vulnerability (or unknown / zero day) in order to install a backdoor into the system (a hidden program for remote management). As an example, he could send an e-mail faking to be from the US Bank, addressed to one of the victims (using their full name) that contain an attachment that says “Promotions”.
    If the victim falls prey of the Spear Phishing by opening the attachment, the attacker would have achieved the goal of installing the backdoor that will allow him to access to the system when needed. 
  3. Once inside the corporate network, the attacker would search, with regular hacking techniques, the credentials needed to achieve his objective (i.e. steal credit card information from Home Depot Credit Card). 
  4. Once the attacker gained access to the information, he will extract it through the Internet to an external server controlled by him. Probably he will compress the information with a password in order to prevent being detected. 
  5. His final move will be to erase all the evidence of this unauthorized access.

Is this attack possible? 

If we go back a couple of weeks, we might be able to remember the RSA incident, which shows us that this kind of attack is possible and probable.

These attack vectors are the real risks that companies and end users might be exposed based on the information stolen from Epsilon. It is shown in this post that personal information, even if they are e-mail address or preferences, must be protected not only because of their value, but for their utility to launch a major attack.

What should affected companies do?

First of all, conduct and awareness and training to their employees focusing on social engineering, such as Phishing. If they use their e-mails as a form of Identification and Authentication, they should consider changing it or at least changing their passwords to a strong one (or even better, implement a two-factor authentication mechanism).

Secondly, establish an 0-800 or any toll free number in order to their customers or employees to report any strange e-mail or make inquires. This will allow the company to be alerted for any attack attempt that could happen.

No comments:

Post a Comment