One of the most costly and extensive crime in the United States is cyber crime. Almost 100 million Americans have their personal information placed at risk of identity theft each year when government and corporate databases are lost or stolen.
In the past four months, caches of customer e-mail addresses, not banking and credit card information, have become the key target of data thieves. The goal: Use the legitimate e-mail addresses and the specific companies their owners have business relationships with to get people to buy worthless goods or to infect their PCs.
Web marketing and cyber security experts say there are several ways cybercriminals can make profitable use of the stolen e-mail addresses. Just like legit advertisers, criminals can correlate a personâ€™s demographics and shopping patterns â€œand uses that to their advantage,â€ says Thomas Jelneck, president of Internet marketing firm On Target Web Solutions. The number of victims of identity theft dropped by more than a quarter in the U.S. last year, the largest annual fall on record, but individual victims lost more money on average than ever before.
The annual survey of consumer fraud from Javelin Strategy & Research released on Tuesday showed total annual reported fraud was down to $37 billion in 2010 from $56 billion in 2009, but the average out-of-pocket loss soared to $631 from $387 -- an increase of more than 60 percent.
The Better Business Bureau, for instance, has issued a warning about a fake Chase Bank e-mail stemming from the undisclosed number of e-mail addresses that hackers stole from Epsilon. The security breach was disclosed last week. Some 50 Epsilon clients were affected, ranging from Chase Bank and Verizon to Hilton and Target. Those companies, in turn, have been sending e-mail warnings to their respective customers.
Ultimately, the bad guys must send emails either to your email address (or from your email address to your friends) with some tantalizing message that effectively requests you provide their credit card, social security number, or other (more valuable) piece of information. So, having your email address stolen is bad, but it is only the first step in stealing something of greater value from its owner.
Phishing attacks are not uncommon, and as always, if you keep your guard up about where you click and what information you give up, you'll probably be safe. But phishing attacks do work, even if it's just for a small percentage of recipients. And as the breach at Epsilon has exposed tens of millions of email addresses, even that small percentage could prove to be a sizable number. Loren Spallina, support manager at anti-virus maker PC Tools, says, â€œWeâ€™re definitely expecting any number of potential malicious actionsâ€ making use of recently stolen e-mail addresses.
Over the past year, spammers have been trying to break into to hack into the service companies that pump out the bulk of the nation's sales coupons, air miles account updates, and friendly reminders that make up legitimate marketing e-mail campaigns.
ReturnPath, which was hit by hackers late last year isn't an ESP, but it sells deliverability services to more than 2,000 ESPs, including Epsilon. These deliverability services are extremely important to ESPs because they help them get their legitimate marketing e-mail through spam filters. When ReturnPath was hacked, criminals stole e-mail addresses belonging to 13,000 of its users -- ESP employees and marketing professionals who had accounts with the ESPs. Last year, ReturnPath said that e-mail operations employees at more than 100 ESPs and gambling sites had been hit with targeted phishing attacks. Victims would get an e-mail specially targeted to them with a link to a website that then tried to install malicious password-stealing software on their computers.
"This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems," said Neil Schwartzman, a former senior director of security strategies with ReturnPath. "Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable."
Every individual or business is vulnerable to attack. IT professionals who are working with corporations that deal with large consumer database need to do their part to keep consumerâ€™s personal information safe. One way to mitigate security breaches is with technical security training.Â Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of highly technically skilled information security professionals.
CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics training, Application Security, Advanced Network Defense, and Cryptography. These highly technical and advanced information security trainingÂ will be offered at all EC-Council hosted conferences and events, and through specially selected EC-Council Authorized Training Centers.
EC-Council is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various other information security training programs offered in over 70 countries around the globe. EC-Council has trained over 80,000 individuals in technical security training and certified more than 38,000 security professionals. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals.