Jaikumar Vijayan follows up on the news story by iTnews, mentioned earlier today, which reported that the Epsilon attack was a spear-phishing attack that resulted in the downloading of malware. Jai makes a point of noting, however, that there’s no proof or confirmation yet from Epsilon that this was a spear-phishing attack. As I commented earlier today, although iTnews claimed that it was “revealing” the type of breach and I suspect Neil Schwartzman of CAUCE is quite correct in his opinion on this, there’s not yet any confirmation that this is what happened this time.
Jai reports:
It’s not clear whether anyone at Epsilon, or Silverpop saw the alert, or how they may have responded if they did.
Neither email service provider responded to a Computerworld request for comment today.
According to ITNews, the breaches at Silverpop and Epsilon in the weeks that followed were caused by spear these phishing attacks.
Read more on CIO.
Could Epsilon have known about this type of attack to proactively prevent it? Absolutely.
Should they have known about it in November when it was reported by Return Path and Brian Krebs of KrebsonSecurity.com? Absolutely.
Did they know back then? They haven’t said.
What did they do if they did know back then? They haven’t said.
And that’s why we need a Congressional or legal inquiry into this breach. And we need to get other ESPs under oath to answer the question of whether they, too, were breached back in November or more recently.
Updated: As Neil Schwartzman noted in a comment under another blog entry, he didn’t claim that the Epsilon breach was due to this type of attack. According to Neil, “They used 4-month old quotes to draw a causal link. This could just as easily be copycats exploiting another vector. We simply don’t know.”
iTnews got ahead of the story, it seems.
Certified Email was supposed to be the only method that ESP’s, marketers, ISP’s and subscribers could collectively use to insure the integrity of the email supply chain. ESP’s taking short cuts on passwords and security protocols of who has access to what data, marketers pushing the envelope as permission based spammers, and ISP’s that don’t subscribe to a single central standard of email authenticy….all put the email channel at risk. Return Path isn’t the answer either, because hackers can circumvent how they authenticate email.
So…with the ESP’s and ISP’s not supporting Goodmail’s Certified Email and Goodmail finally folding their doors in February, why hasn’t our US Government and Sir Julias picked up the intellectual property of Goodmail and made it a part of the Federal Governments Digital Infrastucture?
If they put it inside the USPS, there would be a single honest broker who can sit between ESP’s and ISP’s to insure the integrity of what’s coming through the system.
To hell with the non-profits who say they can’t afford certified and trusted email. They can’t afford not to, and I would bet that World Vision and others are on this Epsilon list.
Charge $1.00 CPM for all email sent, and the spam issue goes away IMMEDIATELY. As we shift from mindless consumption to mindful consumption in this booming economy, it’s incumbent upon the smarter people in the room to assess the risks of not adhering to a single email standard…and then do something about it. ESP’s that get paid on volume will continue these practices. The only way to make more money is to send more email. A revenue model that is based on performance would be much more impactful, and appreciated by marketers and consumers alike. Question is…who’s going to lead on this issue?
The only way this will happen is if Obama and Julius decree that email communications are an integral part of our national security, and that the use of the CertiedEmail encyprted tokens…is the answer.
Perhaps Gmail, Hotmail, Yahoo and others would then stop pushing proprietary protocols for spam detection and email receipt…and just live with a single standard.
I can appreciate the ISP’s being pissed about email, because they don’t get paid to deliver it. Think about 40Billion emails at $1.00 CPM on average, and you have $40,000,000 in revenue for Epsilon, and the ISP’s don’t get a DIME. Think about Experian sending 80 Billion messages a year at the same rate, and the ISP’s don’t get a dime.
If the ESP’s and ISP’s don’t agree on a single standard, people are going to keep tuning out of email, and marketers are going to have to resort to print and postage…once again. Because….our government demands it (prospectuses, changes in privacy notices, etc….).
Fun times!
Thank you for your thought-provoking comments. Clearly there’s a lot to discuss after this total cockup.