Epsilon-based scams used to spread Malware
by Steve Ragan - Apr 15 2011, 03:35Criminals are using some cheap, yet effective tactics to spread Malware in the wake of the recent Epsilon data breach. Specifically, concerned users searching for additional information regarding the attack may find themselves landing on a page that looks official, but offers much more than just basic information.
On March 30, Epsilon Interactive, an ESP (Email Service Provider) with hundreds of brand clients, such as Best Buy and JP Morgan Chase, suffered a data breach exposing millions of email addresses and names. It wasn’t until some of Epsilon’s clients started informing their customers that the full scope of the breach became clear.
The attack is hosted on a webpage that is an exact downloaded clone of the official Epsilon press release used to announce the data breach. Looking at the source code for the attack site itself, researchers at Websense noted that the attackers were lazy, not even bothering to remove the header information that shows the page being downloaded and saved.
“The attack page is basically a cut-and-paste copy of the HTML code from the original Epsilon press release. This provides the professional appearance of the Epsilon site to lure victims. The big difference is that the attack page provides a malicious binary download,” Websense’s Chris Astacio wrote.
The scam attempts to convince users to download the Epsilon Secure Connect tool in order for them to check and see if their personal information was compromised during the breach.
“As of April 8th, the investigation into the unintentional loss of client data has determined that personally identifiable information associated with the client emails and/or customer names could have been disclosed,” the malicious page explained.
“Epsilon has created a tool for customers to determine whether or not their information was subject to disclosure. If you believe you may have been affected, please run this tool to determine if your records may have been disclosed.”
The attack site itself is hosted on an IP-only domain (207.191.230.84) and the EXE offered is detected by most, but not all, of the major security vendors at the time of this report.
Comment on this Story