Email Attacks Committed by One Group: Sources
By Ken Magill
At least some of a series of recent, well-publicized data thefts were probably committed by the same person or group who stole email names from email service provider AWeber almost exactly a year ago, according to sources.
Moreover, whoever has been committing the thefts is highly sophisticated, sources in a position to know are saying.
“These are not amateurs,” said one high-level email executive who did not want to be named.
In late 2009, some unknown individual or group managed to gain access to AWeber’s clients’ e-mail lists and apparently stole some or all of the names. At the time AWeber said it quickly identified and fixed the problem.
More recently, in mid-December, email service provider Silverpop’s CEO, Bill Nussey, published two blog posts disclosing that the firm “recently detected suspicious activity in a small percentage of our customer accounts” but that it had taken steps to stop the activity, including changing client passwords.
Silverpop has declined to say which, if any, clients’ email files were accessed or stolen.
Company officials are working with the Federal Bureau of Investigation and will not comment beyond what is in Nussey’s blog posts in order to avoid jeopardizing the effort, said a company spokeswoman.
However, shortly after Silverpop disclosed the suspicious activity in some customer accounts, Honda sent a message to customers saying someone had gained unauthorized access to some of its email addresses.
"American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account," the message said.
In 2009, Silverpop issued a press release touting that Honda presented the email service provider with a “premier partner award” so it’s possible the Honda and Silverpop breaches are related to the same incident.
Honda Customers who received the warning email were also sent a link to a page claiming it is not necessary to change their passwords and that identity thefts as a result of the breach are highly unlikely given the limited nature of the information accessed.
“No financial information was compromised,” the company stated.
In any case, the attacks certainly have not been limited to Silverpop and its clients.
Walgreens in December disclosed its email list had been accessed by an unauthorized individual or group.
According to SecurityWeek, Walgreens provided the following statement: “We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. Customer passwords, account information, prescription and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.”
Despite trade-press speculation that the Walgreen’s breach was also part of the attack on Silverpop, Walgreens is an Epsilon client.
According to Epsilon, its database was not breached.
“No one without a properly issued user ID and password has accessed Epsilon’s system,” said Quinn Jalli, vice president of deliverability for Epsilon.
McDonald’s in December also announced hackers had gained access to its email file.
The question remains: What does whoever is stealing these email names plan to do with them?
In each of the attacks outlined above, the companies claimed no personal or financial information was obtained—though in the McDonalds case, the thieves reportedly may have accessed address holders’ birthdays.
Also, there don’t seem to be any reports of new spamming or phishing activity resulting from the thefts.
And presumably, if the thieves or someone connected to them simply started spamming the addresses, people would begin complaining to their ISPs. The providers’ spam filters would then begin to kick in and the spammers’ mail would get sent into recipients’ spam folders or blocked.
One executive interviewed for this article said the lists may be very profitable anyway. The executive also speculated the thefts may be part of an effort to build a botnet by getting some recipients to click on messages containing malware.
Another high-level email executive speculated the attacks may be an effort to embarrass the commercial email industry.
“They could be just poking their finger in the industry’s eye,” the executive said.