USA Today reports on the issue of e-mail “phishing” crime — stealing individuals’ legitimate e-mail addresses to use in scams.
In the past four months, caches of customer e-mail addresses, not banking and credit card information, have become the key target of data thieves. The goal: Use the legitimate e-mail addresses and the specific companies their owners have business relationships with to get people to buy worthless goods or to infect their PCs.
The recent theft of potentially tens of millions of consumer e-mail addresses from online marketing firm Epsilon followed a spate of similar hacks in December, USA TODAY research shows.
Web marketing and cybersecurity experts say there are several ways cybercriminals can make profitable use of the stolen e-mail addresses. Just like legit advertisers, criminals can correlate a person’s demographics and shopping patterns “and use that to their advantage,” says Thomas Jelneck, president of Internet marketing firm On Target Web Solutions.
The Better Business Bureau, for instance, has issued a warning about a fake Chase Bank e-mail stemming from the undisclosed number of e-mail addresses that hackers stole from Epsilon. The security breach was disclosed last week. Some 50 Epsilon clients were affected, ranging from Chase Bank and Verizon to Hilton and Target. […]
In late December, Honda reported a hacker stole e-mail addresses to 2.2 million Honda owners and 2.7 million Acura owners. Also in December, data thieves stole 13 million e-mail addresses from the artists website DeviantArt, 1.3 million e-mail addresses from Gawker Media and an undisclosed number from McDonald’s.
By correlating names and e-mail addresses with information about where a person banks and shops, criminals can more effectively bypass spam and anti-virus filters and fine-tune phishing attacks — spoofed messages designed to trick you into clicking on a viral attachment or poisoned Web link. The intruder then takes full control of the victim’s PC. “The No. 1 attack vector today is the human,” says Jose Granado, principal at Ernst & Young’s information security practice.