Return to Sender
The breach last month at Epsilon, the email marketing arm of Alliance Data Systems Corp. of Plano, Texas, was probably four months in the making, according to an April 9
Return Path reported the theft of thousands of emails after an employee clicked on an infected link inside a malicious email in November.
In a
As evidence of how targeted so-called spear-phishing attacks can be, Blumberg posted an example of an infected email sent to one of Return Path's employees:
"Hey Fred, it's Michelle here, it has been a long time huh ? how're you doing ? how's your work with Return Path? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven't you? Just give me your current telephone number if you read this mail. It's really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I'm sending you a few pics taken in our wedding … Let's keep in touch then.
Love, Michelle & Brian"
Debt and Hoaxes
Here's yet another twist on identity theft scams: The Better Business Bureau, in an April 11
Many are identity thieves looking for information on accounts to do real damage.
The BBB said consumers made 15,000 complaints about debt collectors in 2010, and while it urged consumers to take requests for information from debt collectors very seriously - since it could also be an indication that identity theft has taken place and fraudulent accounts have been set up in the consumer's name - the agency advised consumers to get written proof of debts owed, as well as the contact name and telephone number of the debt collector, among other information.
Trouble in Texas
The Texas Comptroller of Public Accounts
The information included names, addresses, Social Security numbers, dates of birth and driver's license numbers from teachers and employees of the Teacher Retirement System of Texas.
The TRS had meant to transfer the information to an internal database at the Comptroller's office. The information, which was unencrypted, was transferred between January and May 2010. The Texas Comptroller's office said it sealed off the data late last month.
Small-Biz Blues
Smaller businesses are under attack, and they aren't going to take it anymore.
That's the message from security firm Guardian Analytics, of Los Altos, Calif., which released on April 4 the results of its 2011 Business Banking
Of the 533 small businesses it surveyed in February, 56% reported they had experienced payments fraud or attempted payments fraud on their accounts in the previous 12 months.
Three-quarters of respondents said they had experienced account takeover or fraud in the online banking channel over the same period.
Although those numbers were flat from 2010, it shows the lack of progress banks have made combatting small-business banking fraud, Guardian said.
In nearly 80% of fraud cases, banks failed to catch fraud related to illegal transfer of funds or identity theft, business owners said.
That number is important because banks have widely been faulted for not offering their corporate treasury clients the same protections against fraud that consumers get when they bank online.
Interestingly, 41% of business owners said they thought their bank would not cover any losses if their company assets were stolen and not recovered, up from 26% in 2010.
Seventy percent of business owners said that their financial institution should be responsible for securing their online transactions.
The impact of fraud on business owners is severe for both the business and the bank: 43% of businesses changed banks after fraud, and 33% said they moved their primary cash management services to another bank.
Great Getaways
Consumers whose PCs have been hijacked by malware that turns their machines into botnets may not know that their computers are also being rented out to hackers, security expert Brian Krebs
In a system resembling the sale of time shares in a large vacation condo complex, hackers offer the use of compromised computers so that other hackers can stay anonymous.
By enlisting such computers as nodes in an attack, hackers can cover their tracks, appearing to come from an Internet Protocol address belonging to an innocent computer user.
For a $150 registration fee, hackers can select computers with IP addresses that appeal to them. They can rent the computers for about $1 a day, or the machines can be purchased for exclusive use, Krebs said.
Krebs contacted one of the businesses whose computers he found on a for-rent list. Representatives from the business said they had only recently called in IT professionals to secure their network.
The professionals ran anti-virus tests, and they discovered one infected computer, which they reportedly fixed.
Still, the network continued to be used by hackers and the company was none the wiser.
Botnets are frequently used in distributed denial of service attacks, which knock out websites belonging to banks or other businesses by sending them more Web traffic than they are designed to handle.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
