"Banks, credit-card issuers warn of email breach"

[rconner]

See Yahoo.

Apparently a remailer named Epsilon got attacked and yielded up a bunch of e-mail addresses. We're advised to get ready for a spate of phishing as the crooks try to match e-mail addresses with credit card info.

This came to my attention because a store named New York And Company sent me a notice that my address might have been leaked. These guys had been spamming me (probably got my address from a scrape) but had stopped when I broke down and unsubscribed. Now they tell me that my address may have been leaked. Sheesh -- the reports of the death of mainsleaze were greatly exaggerated.

-- rick

[Lking]

yet another reason not to use mass emailers even for valid purposes.

[kmolloy]

Epsilon isn't a remailer, they're an email service provider. ESPs are useful in the sense that the people who run them have a clue about how to send technically correct mail, handle bounces properly and send mail in vast quantities without crashing the recipient servers. Some even do a good job riding herd on their customers and make sure they don't abuse. However, some do not.

Epsilon isn't the first company to be breached recently, either; there's been a rash of these since last fall. It appears in at least some of the cases these have been "inside" jobs, where an employee or other person with authorized access to the database has stolen it. Rumor has it Epsilon is one of them.

[dra007]

I have had 4 e-mails regarding this breach this morning, all from reputable and different companies. I have to see how this transpires in the next few days, I am deffinitely annoyed but what can we do, there must be some way to be more proactive about crime on internet before everyone of us is victimized..

As for inside jobs even credit card companies and ITs responsible for banking information have been penetrated by moles and for some reason it takes a long time to figure them out...

[turetzsr]

...Agreed! I am a customer of Chase, which told me about the breach. You'd think after all the big-name problems of a couple of years or so ago, financial institutions would have really good tools to avoid such problems. And perhaps they do and we'd have a lot more such breaches otherwise. It's certainly the case in the company for which I work that I myself have far more access to clients' and employees' data than I need to do my job and I doubt there's much, if any, auditing, of my database queries.

[rconner]

I too received another one of these notices this morning at my work address.

I can (almost) understand a legit company like a bank falling victim to this sort of thing (particularly since so many rely upon so few mailing providers). What ticked me off about the original incident was that New York & Co. was e-mailing me without my advance opt-in, and with my never having so much as walked in to one of their stores (or having even heard of them) -- meaning that they (or someone else) must have scraped my address, or else gotten it through some third party. And now, having in effect stolen that address, they now confess that they let someone else steal it from them. A pretty lackadaisical performance all the way around.

-- rick

[StevenUnderwood]

I have received 4 of these messages:

Charter Cable (my ISP)

TIAA-CREF (one of my wife's retirement accounts)

Target (retailer)

TapeOnline.com (work vendor)

They seem to be widely used. I believe New York & Co is a fashion retailer which owns several different similar companies. Perhaps you were legitimately on one of their lists and their warning email did not specify this.

[Farelf]

AND beware of the "one-two" punch. Co-incidentally or otherwise there is something of a current upsurge in exploit attachments to fake order emails at the moment, just when there is wide-spread worry about risks to personal data such as credit cards and so-on. One I got a short time ago is shown:

http://www.spamcop.net/sc?id=z49695592...;action=display

These are using a PDF vulnerability and are discussed in various places, such as

http://www.hoax-slayer.com/order-received-...re-emails.shtml

http://news.softpedia.com/news/Malicious-P...rs-192574.shtml

Supposedly "up-to-date" Adobe PDF readers are not vulnerable - but this comes at a time when some are rebelling against updates to Adobe due to perceived "bloat" and other concerns. I have no idea whether or not "alternative" readers are vulnerable. Whatever, the attraction for malware writers is that these "crafted" PDFs can be trivially modified to keep changing the signatures/hashes. "My" example would be detected and eliminated by just 5/41 AV products currently (VirusTotal):

Avast	4.8.1351.0/20110408	found [JS:Pdfka-gen]
Avast5	5.0.677.0/20110408	found [JS:Pdfka-gen]
GData	22/20110408	found [JS:Pdfka-gen ]
Sophos	4.64.0/20110408	found [Troj/PDFJs-RM]
VIPRE	8959/20110408	found [Exploit.PDF-JS.Gen (v)]

There are some big names missing. Incidentally, it slipped right through IronPort filtering too (outwards, had to email it to VT since their FT was wonky). Sure, "we don't click on attachments" but people get worried and feel vulnerable and then they really are vulnerable. But note the message was quite easily detected as "spam".

When you're gnashing your teeth as more and more institutions 'fess up to a little incontinence with your data, beware the "one-two" punch.

[Farelf]

Add two more detections vide http://www.virustotal.com/file-scan/report...5975-1302519564

AntiVir 7.11.6.46 2011.04.11 EXP/Pidief.VS.1

TrendMicro-HouseCall 9.200.0.1012 2011.04.11 TROJ_PIDIEF.RLK

On the other hand VIPRE, which picked up the exploit from an e-mailed submission to VirusTotal, failed to replicate the result with a later virus definition on a file-transferred copy of the same file:

VIPRE 8985 2011.04.11 -

Anyway, just for interest to show how detection slowly picks up. Not wishing to give the wrong impression in these posts - in my observation, one can't rely on any specific AV to be amongst the "early detectors" within the life-cycle of an exploit¹. Safe habits are the best protection. Safe habits maintained despite distractions and the occasional uncanny co-incidence that tries to sneak under the guard.

¹On the other hand, a certain few seem to be almost always late but I'm not naming names based only on unscientific "seemings".

[Wazoo]

Supposedly "up-to-date" Adobe PDF readers are not vulnerable - but this comes at a time when some are rebelling against updates to Adobe due to perceived "bloat" and other concerns. I have no idea whether or not "alternative" readers are vulnerable.

Some techniques have been unique to Adobe's tool-set, but yes, in the past, some exploits also worked against others. Some of the libraries involved included some of the same (or at least similar enough) code such that the same 'errors' were invoked during the handling of these PDFS.

[Farelf]

Thanks Wazoo, I was wondering but have never researched the question.

Meantime: Texas exposes addresses, SSNs of 3.5 million residents

Following last week's massive Epsilon e-mail breach, it feels as if all of us suddenly have a little too much personal information floating around online. And now, a large group of Texans are about to have it a lot worse: the state revealed Monday that personal information for 3.5 million citizens has been exposed to the public, including names, addresses, Social Security numbers, and more.

Just the "tip of the iceberg" probably. The USA has a tradition of frank and early disclosure in matters of civil administration - well relatively, when compared to the secretive and arse-covering Civil/Pubic Service instrumentalities in most other places. Lord knows what has happened and is continuing in those other places.

[Wazoo]

Thanks Wazoo, I was wondering but have never researched the question.

A couple of quick reads. Noting that these blog entries are tied to the latest Adobe exploit, but after reading the second one, it should be obvious that any number of things can go wrong when software tries to handle these hunks of garbage.

Flash 0-days

Adobe Flash Player 0-day Exploit Analysis (CVE-2011-0611)