After Breach, Companies Warn of E-Mail Fraud [telecom]

After Breach, Companies Warn of E-Mail Fraud

By MIGUEL HELFT April 4, 2011

SAN FRANCISCO - Security experts said Monday that millions of people were at increased risk of e-mail swindles after a giant security breach at an online marketing firm.

The breach exposed the e-mail addresses of customers of some of the nation's largest companies, including JPMorgan Chase, Citibank, Target and Walgreens. In some cases customer names were also stolen.

While the number of people affected is unknown, security experts say that based on the businesses involved, the breach may be among the largest ever. And it could lead to a surge in phishing attacks - e-mails that purport to be from a legitimate business but are intended to steal information like account numbers or passwords.

"It is clearly a massive hemorrhage," said Michael Kleeman, a network security expert at the University of California, San Diego.

The marketing firm that suffered the breach, Epsilon, which handles e-mail marketing lists for hundreds of clients, disclosed the problem in a brief statement on Friday. But its sheer scale became clear over the weekend and on Monday, as banks, retailers and others began alerting their customers to be on the lookout for fraudulent e-mails.

While e-mail addresses may not seem particularly vulnerable, experts say that if criminals can associate addresses with names and a business like a bank, they can devise highly customized attacks to trick people into disclosing more confidential information, a technique known as "spear phishing."


formatting link

Reply to
Monty Solomon
Loading thread data ...

Rule #1: Never respond to emails that appear to be a legitimate institution requesting any personal information. For that matter just trash any message like that.

Reply to
Sam Spade

Walgreens' Email to customers says: "On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization."

At 1-855-814-0010 Walgreens says that breach really occurred March

  1. How could they have been informed about it BEFORE it happened? What took them so long to inform customers?
Reply to

Per Sam Spade:

Rule #2: Never, *ever* give out your "real" email address to anybody in *any* kind of business. Not your lawyer, not your financial advisor.... *Nobody* who will be entering it into a DB other than their personal mail client.

I've got an email provider that allows me unlimited email addresses, but if I didn't, I'd set up "junk" addresses on any one of the free providers and have mail to them forwarded to me - deleting/disabling the forwarding as needed.

Reply to
Pete Cresswell

Instead of trashing them, I forward them to .

This reminds me of an email feature I haven't thought of in 20 years or so. That being Address Tags. From

formatting link

Address tags

Some mail services allow a user to append a tag to his email address (e.g., joeuser+ The text of tag may be used to apply filtering and to create single-use addresses.[5][6][7] However, some mail servers violate RFC 5322, and the recommendations in RFC 3696, by refusing to send mail addressed to a user on another system merely because the local-part of the address contains the plus sign (+). On the other hand, most installations of the qmail and Courier Mail Server products support the use of a hyphen '-' as a separator within the local-part, such as or joeuser-tag-sub- This allows qmail through .qmail-default or .qmail-tag-sub-anything-else files to sort, filter, forward, or run an application based on the tagging system established. It is also quite common for web forms to either refuse to accept the plus sign as a part or the username or to even misbehave in an undetermined manner[citation needed]. Disposable email addresses of this form, using various separators between the base name and the tag are supported by several email services, including Runbox (plus and hyphen), Google Mail (plus),[8] Yahoo! Mail Plus (hyphen),[9] Apple's MobileMe (plus), FastMail.FM (plus and Subdomain Addressing),[10] and MMDF (equals). The name sub-addressing is the generic term (used for plus-addressing and hyphen-addressing) found in some IETF standards- track documents, such as RFC 5233.

I just tried it on a couple of my email addresses. harold

  • (my local Fedora server) works properly, but harold+ (hosted by an ISP) reports an unknown user.


Reply to

Since this thread started, I have received several of these emails. Apparently, it is a scam.

Reply to
Sam Spade

Some of us can't do that. I have my own domain so it is easy enough to change it if I have to. Then, I would just be giving out the new email to the same entities.

My wife uses her email very carefully to a small group of social contacts. Yet, she gets some spam.

I have a couple of very seldom used email accounts at my broadband ISP. They are used only for a rare joke email to a friend. They sit there for months without activity other than the occasional promotional email from the ISP.

Reply to
Sam Spade

Per Sam Spade:

Rule#3: Avoid using a name as your email address. e.g. = Bad = Better = Least spam-prone....

This helps mitigate dictionary attacks where somebody matches a collection of first names to a collection of domain names.

"Least spam-prone" and not "Best" bc of anticipated difficulty telling somebody verbally what one's address is.

Reply to

Not for me. That lets the spammers win.

Reply to
Sam Spade

How careful are the social contacts that have her email address? Are any of them the type who forward every silly joke, urban legend, etc. to everybody in their address book, with all the recipient addresses exposed on the To: line, so that your wife's address continues to circulate as the message gets forwarded again and again with the list of addresses getting larger? Sooner or later some spammer will get hold of that.

Do any of her friends click malware links that load bots on their machines that suck all the email addresses from their contact lists and messages in their inboxes, and send them to spammers?

I find that no matter how careful you are about giving out your email address, it's almost impossible to avoid giving it to somebody far less careful.

***** Moderator's Note *****

Martha Washington once said "I let him out for *one* night, and ever since, it's 'Washington slept here', 'Washington slept here', 'Washington ...'"

I'm _sorry_ ! OK?

Bill Horne Moderator

Reply to
Matt Simpson


There is NO privacy on the internet. Never has been privacy, nor will it ever exist. Of course, in the good old days, everybody's phone number was published in a book (how's that for privacy!)...

Folks who want to protect their privacy shouldn't use e-mail or usenet, as neither has any provision to insure privacy. Social networking sites are simply billboards for all the world to see.

That's just the way the system works.


Reply to
Eric Tappert

I have a few throw away addresses that I use for places like Best Buy and Target, I noticed that those address started getting spam, in the past they never had any. I set a couple of new e-mail address up and then deleted those that had problems. ATT uses Yahoo and the spam filters are really good, none get to my Thunderbird reader at all.

Reply to

There is no privacy on the Internet because we've never incorporated encryption in any acceptable manner.

PGP didn't catch on like it could have. And I find that to be too bad.

The last version of PGP I played around with had two to the four thousand and ninety-sixth power worth of encyrption/decryption key pairs.

That comes to approximately ten to the twelve hundred and thirty-third power (bearing in mind that a mere trillion is only ten to the twelvth power).

That's secure enough for most of us.

Yes, I did a research paper on PGP when I was in graduate school. It's pretty dated (when PGP was far less powerful than now, in the late nineties) but you can read it at

formatting link

I did a lot of experimentation with PGP as well.

And I developed a three hour seminar on PGP that got excellent reviews from my students at the Capital PC User's Group in the Washington, DC area.

Read Father Bill Morton's PGP Page at:

formatting link
. It is a prime example of the need for privacy in telecommunications.



***** Moderator's Note *****

The Internet has as much or as little privacy as its users are willing to demand. We get the conveniece of email at a price, and those whom insist on keeping their emails private have several different options available:

  1. X.509 (Certificate-based) encryption and/or signing is built in to all the usual email clients. The certificates are now reasonably priced and easy to obtain, and the rest is "automagic".

  1. PGP or GPG (Gnu Privacy Guard) can be added to some email clients, or used in a stand-alone mode, with a minimum of effort.

  2. W.A.S.T.E.
    formatting link
    and similar "groupware" systems offer encrypted communication within workgroups.

But ...

If you have a perfectly implemented, well designed, and unbreakable cipher, then anyone who wants the data badly enough will simply bypass the codebreaking process and resort to rubber-hose cryptography. The information is only as secure as the people, and the adage about a secret being so only so long as only one person knows it comes to mind.

-- Bill Horne Moderator

Reply to
Fred Atkinson


The U.S. Treasury wants to get rid of paper. Their Treasury Direct accounts have security no one else offers me, certainly not Bank of America on-line banking.

I doubt anyone could bust into a Treasury Direct account unless they broke into the account holder's residence.

Reply to
Sam Spade

My hunch is in the early days of the net, privacy and security weren't issues. In fact openness and was encouraged. Richard Stallman famously refused to password protect his login because he believed his coworkers had the right to access his account.

I am a huge geek and I h> The Internet has as much or as little privacy as its users are willing

Users can run Tor, or similar services, that make tracking virtually impossible. I must note though I saw a blurb that the Iranian government had cracked this and could identify users.

I'm fairly certain I have brought this up in the past. I recall reading that when companies force employees to create very cryptic passwords security actually decreases. This is because an employee is more likely to write the password down and otherwise have it out in the open. So "LaSSie92!" might be better than "yH7^p31x.tT21". And how many times do we hear of a laptop full of Social Security numbers in plain text being left on a subway?

I originally wasn't going to reply to this thread, but an article in the May 2011 "Wired" got me thinking. There are three services that will share your browsing habits with your friends and/or the world.

formatting link
formatting link
Which brings me to a related topic. The people I personally know who scream the loudest about losing their privacy, usually in the context of speed enforcement cameras, are the same ones who post far too much information about themselves on social networking sites. I honestly, I wouldn't want to know what sites some friends of mine visit. Some information is better left unknown.

And in another related topic, I know people who fear Google and claim Google knows too much about them. What they don't understand is Google knows about them because they themselves put the information online in the first place. And it's the offline world people should really be afraid of. Credit reporting firms, marketing companies, to name a few know more about you than you think.


Reply to
John Mayson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.