Twitter Feed

    In late November 2010, Epsilon partner ReturnPath – which provides monitoring and authentication services to email service providers – warned customers about a series of coordinated phishing and hacking attacks leveled at the mailing list industry.

    Dear colleagues,

    We have become aware of a serious phishing attack aimed specifically at ESPs, some direct mailers, and gambling sites.

    Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.

    The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.

    Here is an example of what we have seen here at Return Path:

    Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give me your current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:

    Let’s keep in touch then.


    Michelle & Brian

    The URL above was in fact a fake, the target URL itself ended up at a different website hosting malware.

    The specific malware associated with these campaigns is particularly bad:

    1. Win32.BlkIC.IMG disables anti-virus software. Only two out of the 40 anti-virus programs at Virus Total detect this:

    Comodo Version 6822/20101123
    Norman Version 6.06.10/20101123

    2.  iStealer, which is a Trojan keylogger that steals passwords
    3.  CyberGate, a “remote administration tool” trojan that lets the criminals control the computer moving forward

    This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.

    What could have been done with this warning?

    1. Educate the team

    2. Scan logs for attemps

    3. Scan computers, laptops and emails for issues

    Unfortunate for millions of Americans that Epsilon failed to listen to the warnings and watch the trends



    Leave a Reply