By Caitin Condon, StopBadware

For the past several days, consumers have been bombarded with news about a major data breach affecting Epsilon, the online marketing unit of Alliance Data Systems Corp. Epsilon provides email marketing services for roughly 2,500 customers, including major banks, retailers, and other service providers. No sensitive financial information was compromised; however, the attacker(s) obtained millions of email addresses and names from Epsilon’s database. The incident has set off a wave of warnings about phishing attacks, where malicious actors attempt to steal sensitive information (usernames, passwords, credit card info, etc.) by masquerading as trustworthy online entities, like banks or trusted retailers.

The Epsilon breach gave hackers access to names and email addresses on major companies’ email lists, which gives phishers extra ammunition: their attacks can be highly personalized and targeted at users who would typically open emails from the companies in question. These types of targeted phishing attacks, often referred to as spear phishing, can look extremely realistic. Unfortunately, phishers don’t even have to coax their victims into entering personal information; they can merely create a fake website pretending to be the site of a bank, retail company, or other service provider, and lace the spoofed site with malware. When a user visits the fake site (after clicking on a malicious URL in a phishing email, for example), his or her computer is infected with a Trojan that surreptitiously gathers personal information--like financial account information--without the user ever having to type in anything at all.

So far, almost 50 major companies have admitted to being affected. Security writer Brian Krebs has a growing list that’s being updated regularly. Many of the affected companies have contacted consumers via email to warn them of the data breach and remind them that the company will never request personal information or account login information via email. Consumers are also warned not to click on links or respond to emails claiming to be from affected companies.

There’s an overwhelming stream of information available right now about what malicious actors might do in the wake of Epsilon’s data breach and what users should do to avoid phishing attacks. The underlying theme of all the tips and tutorials is clear,  however: use common sense and take extra caution in light of this recent incident. Don’t enter personal information or login credentials in response to an email prompt, no matter how convincing or “urgent” the message.
Phishers may try to trick consumers into giving away sensitive information by posing as legitimate companies warning their customers of the data breach--be extremely wary of any communication that requests anything of the user, including asking him or her to click through to a “company” website. It’s safer to type the company’s URL into your browser bar by hand than to click on a link. If you’re concerned about your information, call a verified company phone number (the number on the back of your company loyalty card or credit card, for example).

Resources:

• The aforementioned Brian Krebs has a great list of basic tips called After Epsilon: Avoiding Phishing Scams & Malware. 
• GovInfoSecurity.com also has a regularly updated list of impacted companies.
• The APWG (Anti-Phishing Working Group) offers comprehensive advice for consumers on How To Avoid Phishing Scams.
• The APWG also details What To Do If You’ve Given Out Your Personal Financial Information.

You can report phishing attacks to various entities, including those below.

• Report a phishing credential collector to the APWG: http://www.antiphishing.org/report_phishing.html
• Report phishing mails and websites to the U.S. government: http://www.us-cert.gov/nav/report_phishing.html
• Report a phishing website to Google: http://www.google.com/safebrowsing/report_phish/
• If you encounter a badware URL that displays malicious behavior other than phishing, you can report it to StopBadware’s online community, BadwareBusters.org, here: https://badwarebusters.org/community/submit

Caitlin Condon is the Raconteur at nonprofit anti-malware organization StopBadware. She tells StopBadware's story across various online communities and coordinates communication between people at all points on the technological spectrum.