Sponsored by..

Wednesday 20 July 2011

Epsilon Breach Spam Run

The Epsilon Data Breach from a few months back certainly made headlines, but I haven't seen much in the way of spam activity that I could directly attribute to it. Until now.

From: Olga Sunday [mailto:SundayqyOhilga@hotmail.com]
Sent: 18 July 2011 17:31
To: Spam Victim
Subject: Spam Victim

Don't miss unique employment opportunity.
The company is seeking for enthusiastic representative in United Kingdom to help us spread out our activity in the Europe area.
easy training available.
Superb income potential.

- 18+ age
- Only basic knowledge of Internet & computer.
- 2-3 free hours per day

Candidates must be smart and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can become our representative.
Thank you for your attention.

Current News : honor rolls for monday, july , . 

At first glance it looks like a standard money mule spam, but there are two odd things. One is the "Subject" line which has the actual name of the spam victim. Not their email address, their real name.. more of this in a minute. The other odd thing is that the "From" address appears to be valid, and the email really has originated from Hotmail, presumably in some sort of auto-generated spamming account.

The inclusion of the recipient's name in the subject is the odd thing. In this case, I had a bunch of largely unrelated users in different countries with very similar email messages. So where had the names come from? Well, there were a couple of anomalies which gave a clue.. in two cases the "Subject" name was a family member, and not the actual recipient.

This narrowed down the possibilities, and it became apparent that the users had registered for something in the name of a family member, but using their own email account. And in one case that tied directly to a company which was a victim of the Epsilon data breach.

Looking over the other spam recipients, the majority were on the mailing list of Hilton Honors, Marriott Rewards, Marks and Spencer, Capital One or other Epsilon customers. Some didn't fit the pattern, but were connected with Pixmania, Plentyoffish.com and Play.com which were all hacked at about the same time. So perhaps the spammer's list is made up of data from more than one source.

Do I know for sure that this is connected with the Epsilon breach? No. But the inclusion of the family member's names indicates that they were harvested externally, the majority of users could be shown to have a connection to companies involved in the Epsilon breach, and the small number who couldn't seemed to be users of other breached companies.

This spam was very crude in its actual pitch. But I'm guessing that this will be the first of many more targeted spam/scam emails using this stolen data.

No comments: