You Friggin' Knew about This!?
By Ken Magill
The most shocking piece of email-marketing-related news this week comes in a series of blog posts in which Return Path announced it had been phished and the email addresses of some clients had been stolen.
“I'm sure many of you are familiar with the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches,” Return Path CEO Matt Blumberg wrote in a post on CircleID.
“In short, a relatively small list of our clients' email addresses was taken from us, meaning those addresses are now the targets of the phishing campaign that are intended to compromise those client systems,” he continued.
And no it wasn’t the hacking that was shocking. It was the revelation that some people in the industry had known about these attacks for almost a year and kept quiet about them.
Message to those folks: You knew about this!? For almost a f*&king year!? And you didn’t warn anyone!?
The only way to mitigate these attacks is by sharing every scrap of information we have on them and that includes with clients and consumers.
Here is a sample of one of the phishing emails received by Return Path:
Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:
Let’s keep in touch then.
Michelle & Brian
According to Return Path’s senior director, security strategy – email intelligence group, Neil Schwartzman, the link in the message leads to a site that hosts malware. Schwartzman said he believes the perpetrators are a well-known spam gang based in the U.S. and Canada.
He also said he doesn’t believe the perpetrators will phish end users. Rather, he said, the spammers will more likely provide any addresses they’re able to steal to affiliate spammers.
“This problem was exacerbated because we’ve got an affiliate industry completely out of control,” he said.
Meanwhile, a Google search using some of the phrases in the email reveals the attack is widespread. However, the messages sent to people in the email-marketing industry seem to be more personalized.
For example, I received one from “Sarah” that addressed me by name and asked how my work in email marketing was going.
A commenter on WordtotheWise.com said the attacks have also been aimed at email infrastructure vendors.
One thing is certain: The assholes behind these attacks thrive on ignorance. The more educated people are about their tactics, the less chance they have of succeeding. Someone in permission-based email marketing should have sounded the alarm about the wedding-photo attacks months before Blumberg did.
Moreover, marketers need to mount some sort of effort to educate their subscribers about dangerous spam.
“One missing component [in the fight against spam] is user education,” said Schwartzman. “We’ve sold people on the idea that it [email] just works. Well, sometimes it can hurt you badly.”
Playing defense against malicious spammers has not worked. It’s time to go on offense. And that means sharing sometimes embarrassing information with competitors and getting the word out to consumers about just how dangerous some messages can be.
What’s that I hear? Crickets?
Author's clarification: This piece is not meant to imply Matt Blumberg knew about the attacks and kept quiet. In fact, an early draft had a sentence saying Blumberg's the only one who has shown a lick of sense in this fiasco, but I took it out because it looked too much like sucking up to an advertiser. In hindsight, I should have left it in. Now, of course, it really looks like I'm really sucking up to an advertiser.