Email security continues to be one of the biggest challenges for consumers and companies, and the problem may have gotten worse for millions of people this past week after Walgreens and McDonald’s reported that their networks had been breached. The criminals stole millions of marketing email addresses from the retail and fast food giants, including consumers who had opted out of future email campaigns. Criminals that conducted the McDonalds’ breach were able to steal customer email addresses, names, physical addresses, phone numbers, birth dates, genders and promotions preferences. Shortly after the theft, criminals used Walgreen’s email marketing list to spam customers with a legitimate looking email requesting customers enter their personal information into a Web page. The site that the email directed customers to was actually controlled by hackers.
While retailers have spent millions of dollars on PCI compliance – protecting against credit card data breaches – by stealing email address databases, criminals may have found a round-about way to acquire the data that could ultimately provide them what they are looking for; money. At a minimum, the theft is a visible scar on network security for McDonald’s and Walgreens. In reality, it poses a significant threat to the millions of customers who have grown accustomed to receiving legitimate messages from these companies. The goal for many cybercriminals is to gain as much information about their prospective victims as possible. With the information, they are able to create and send customized and personalized email messages with the sole purpose of luring or lulling their victims into clicking on a link or providing an additional detail of information. While many email security systems are able to block the majority of spam messages, the real danger is when email users mistake quarantined messages as legitimate because they include personal information, and then release them into their inbox.
Here is why:
With the names and email addresses, spammers will be able to personally address the messages they send to the email recipient. They will no longer have to use a generic intro, which is a common characteristic of spam. Add the fact that in the case of McDonald’s customers the scammers also have promotional preferences, addresses and birth dates. This added information will allow them to create spam campaigns that are increasingly more personalized and sophisticated, making it even harder for the email recipients to resist the call to click.
Today’s scammers are developing sophisticated email campaigns that are already bypassing many of today’s popular email filters. They have successfully spoofed major brands from Facebook to Twitter, UPS and Xerox. The customers on Walgreens and McDonald’s email marketing lists are expecting the messages. Even though McDonald’s has warned customers to be cautious of anyone claiming to be from the company asking for information or requesting the click, it could be difficult to tell a legitimate email from a phishing scam. Unfortunately, it appears the thieves may have the upper-hand.
During the past year, one thing that Red Condor has constantly warned about is what could happen if a scammer is able to gain access to critical personal information. As we have learned, it only takes one click to be infected by malware today, and by gaining access to targeted databases, it is likely that the scammers may not even need to try as hard to get victims to click on embedded links, download images, open attachments or respond to requests for additional information.
Earlier this year, the Facebook account for a venture capitalist and Facebook board member was compromised. Three-hundred of the person’s Facebook friends received a bogus event invitation that succeeded in getting users to divulge their Facebook passwords. The same email was distributed to all of their Facebook friends as well.
At the time, we asked the question, what would have happened, if rather than compromising a Facebook account, scammers had gained control of the person’s email account? Scammers could have easily exploited this address, with far more serious consequences for the VC and his professional and personal networks.
Now consider the power that the criminals who stole the marketing emails have right now. Imagine what they can do with that information. Set up a fake Walgreens store to capture credit card information and then email Walgreen’s customers about a sale? Invite McDonald’s customers to participate in a fake online buy-one-get-one promotional campaign or a scam birthday offer? While McDonald’s and Walgreens are downplaying the exact type of information that was taken, unfortunately, the threats are valid and are likely to be far reaching.
