he breach last month at Epsilon, the email marketing arm of Alliance Data Systems Corp. of Plano, Texas, was probably four months in the making, according to an April 9 story in CNet, and it could have started with a phishing attack against an email services partner that Epsilon used, called Return Path Inc., of New York.
Return Path reported the theft of thousands of emails after an employee clicked on an infected link inside a malicious email in November.
In a blog post from Nov. 26, Return Path's chairman and chief executive, Matt Blumberg, said the company discovered the infection and cleaned its systems, but not before hackers stole 13,000 email addresses for clients who had registered for alerts, including the email addresses of employees at email service providers such as Epsilon.
As evidence of how targeted so-called spear-phishing attacks can be, Blumberg posted an example of an infected email sent to one of Return Path's employees:
"Hey Fred, it's Michelle here, it has been a long time huh ? how're you doing ? how's your work with Return Path? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven't you? Just give me your current telephone number if you read this mail. It's really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I'm sending you a few pics taken in our wedding … Let's keep in touch then.
Love, Michelle & Brian"
