Ever more sophisticated spammers keep finding new ways to target unwitting web users, writes CIARA O'BRIEN
HAS YOUR previously clear inbox suddenly become choked with spam? If you’ve been careful about who you give your e-mail address to, the influx of spam is probably more than a little puzzling.
But just because you’ve been careful with your address, it doesn’t mean spammers haven’t managed to get their hands on it. In fact, one of those companies you trusted with your e-mail address could unwittingly be responsible for the deluge in your inbox.
The recent Epsilon data breach is one such example. The company, which provides marketing services to about 2,500 firms, was the victim of an intrusion into its systems which saw contact data relating to 50 of these companies stolen. The firm provides e-mail marketing services to several big-name firms, including Marks & Spencer in the UK, the Ritz Carlton group and JP Morgan.
Epsilon was quick to reassure customers that only their names and e-mail addresses were accessed in the attack.
“On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorised entry into Epsilon’s e-mail system. The information that was obtained was limited to e-mail addresses and/or customer names only,” the company said in a statement.
It is being described as one of the largest breaches in US history.
“The scale of the attack is concerning and could lead to a revised set of security measures for dealing with customer data. But the most immediate concern is to ensure that users are aware of the types of threats posed by unsolicited e-mails, how to recognise them, and how to guard against them,” said Philip Dall, mobile security expert at BullGuard.
“Customers should rightly expect to feel safe when giving an e-mail address or contact details to established and trusted companies, but this recent attack goes to show that trading of such data should still be done with caution.”
The data stolen in the Epsilon attack, while limited, could be used to launch phishing attacks on unsuspecting e-mail users.
“What’s hard for consumers is they have no control over this,” said Conor Flynn, technical director of Rits Security. “Very few people would have realised that the information has been passed to someone else on their behalf.
“What’s worrying from a consumer point of view is that the phishing e-mails they are being hit with are well crafted and look like they come from someone you trusted.”
The attack comes only weeks after online retailer Play.com informed customers there had been a breach at its e-mail marketing firm, Silverpop. Some customers complained to Play that e-mail addresses used only for the site had received spam messages, prompting the retailer to contact customers directly
It’s little comfort to consumers who are already suffering the consequences. After years of having it drilled into you about online security, the loss of information over which you have no control is frustrating.
Bullguard recommends having a separate e-mail address specifically used for signing up to retailers’ newsletters, marketing communications and other commercial e-mail. There are two benefits to this.
Should the address become known to spammers, you can simply dump it without having to go through a torturous process of letting everyone know that you have changed your contact details.
But more importantly, keeping it separate from any address you use for financial transactions will mean that any suspicious e-mails will immediately throw up a red flag to users.
Despite increasing awareness and efforts by security companies to block attacks, it is still a booming sector for criminals.
According to Symantec’s latest internet security threat report, the number of new threats rose to more than 286 million in 2010, with attacks showing a “dramatic” increase in the frequency and sophistication of targeted attacks. And mobile devices are coming under the scrutiny of attackers, the report found.
Scams of this type are getting increasingly sophisticated. Irish e-mail users may have seen an official-looking e-mail from the Revenue Commissioners drop into their e-mail inbox over the past few months. While that in itself wasn’t noteworthy, the act that it was in Irish certainly caught attention.
“Any attack that is going to use identity theft or fraud will try to establish a rapport or credibility with the target. The more information they have, the more credibility, the easier it will be,” said Flynn.
But with “social engineering” on the rise, web users are unwittingly falling into traps. The growth of social networks has also given scammers a new way to target consumers.
Shortened URLs, a popular sight on websites such as Twitter and Facebook to eliminate having to use long web addresses, can also be used to trick web browsers into clicking on phishing links.
“Last year, attackers posted millions of these shortened links on social networking sites to trick victims into both phishing and malware attacks, dramatically increasing the rate of successful infection,” Symantec said.
News feeds, such as that on Facebook, have been used to distribute attacks on a mass scale. And seemingly innocuous applications, such as quizzes, could be revealing enough about you to allow a scammer to steal confidential data.
The solution? Get cynical.
“People’s behaviour online should mirror the physical world,” said Conor Flynn.
“You wouldn’t go on holiday somewhere you’ve never been and walk down a dark street with money falling out of your pocket, your phone clipped to your belt and your camera over your shoulder, making yourself a target. People need to be more cynical online.”
HELPING YOURSELF: THE BEST WAYS TO LIMIT SPAM
Set up a separate e-mail address to keep site and newsletter registrations from your financial information – PayPal etc.
Read the fine print. A site's privacy policy should have information on data privacy and with whom they will share your e-mail address.
If an e-mail asks you to confirm or supply any personal information, don't follow the links included. Most companies, particularly banks, will not ask for such information by e-mail. If you think it may be a genuine request, contact the company directly.
Be aware of the URL. Most companies will use an address starting with https://, which indicates it is encrypted, as opposed to http://, which is not. If it is not encrypted, be wary of supplying any information to the company.
Keep your antivirus up to date and ensure your e-mail has a good spam/junk mail filter.
Don't open attachments from senders you don't know. Old advice, but one of the most effective in preventing viruses and other malware from getting into your machine.
Don't forget about mobile use. Antivirus software is available for smartphones running on platforms such as Android. While it won't pick up all the malware hidden in apps, it might prevent you from downloading some software that is less than legitimate.
Be security conscious on social networks. Don't grant access to your information for apps with which you are not familiar.