Search My Blog

Friday, April 8, 2011

Epsilon Breach - Charter Communications (Charter.com) E-mail Addresses and Users Names Hacked!

Epsilon Breach,

There has been a huge Breach at the Epsilon E-Mail Marketing Co in Irving TX. Our ISP Charter was one of the Companies who's e-mail addresses and users actual names were Hacked. I had noticed an increase in Spam and Phishing Scan e-mails in the last week. But didn't read up on the Epsilon Breach until today. I received the e-mail notice from Charter on 04-05-11. But with recent surge of Spam and Phishing E-mails that I had been getting, I was Suspicious of this "Notice" too. I still don't know if the "Notice" I received, supposedly from Charter is really from them. So, I wouldn't click on any links in any e-mail from Charter or any "Company" even if you have dealt with them for quite a wile. Not after this Breach!:O Instead, just go to the Web Site by typing the URL (Web Address) into your Browser or using a search engine like Google.com to find the URL if you don't know it already. But, if you use search to find URL's, Remember that everything on the Internet (The Good, Bad and the Ugly) show up in search Results. Read the links and the Excerpts from the site before Clicking! And Of Course, don't answer any of these Suspicious E-mails that ask you for any of your Personal Information! Ever!!! All Companies that you deal with already have this info and would not ask you for it again in an e-mail. The reports I have read and the Videos I have seen, say that the Hackers Did Not get any Credit Card Information on us. So, as long as that is True, then the only thing we will have to watch out for is Spam and Phishing attempts to get our Credit Card and Personal Info for ID Theft Purposes. One thing that the Reports haven't mentioned is... That with the Names and E-Mail Addresses, these Spammers can now send e-mails with My and Your names from our Charter e-mail address (by Spoofing our real e-mail addresses with our names in the e-mail) to people, maybe our friends. They could either send out large quantity's of Spam, Spoofing yours and my E-mail address. Which end up getting to your friends and may trick them into clicking on the Links in these e-mails. Or they may even even be able to Hack our e-mail Address Lists or Address Books. Perhaps by infecting Computers through a Trojan in an E-mail or a Disguised Link that goes to a Drive by Virus on a Web Site, instead of the Site you see in the E-mail. Also, with all of the e-mail Forwards with our e-mail addresses floating around in Open Cyber Space. They could Sniff the Packets as they move around the Web and use Data Mining Apps to find our names and e-mail addresses together (Data Mining, you know like FaceBook does to tell you who you may know). Then turn and use all of the e-mail addresses and names in the FWD's to Trick our Friends into Clicking on Links (thinking they are from us). Which are actually going to Sites with Trojans and other Viruses. This could cause allot of People allot of Problems!:O So... Watch Out! Here are some links and more info on the Epsilon Breach...

Don

Here's a List of some of the Affected Companies...

Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.

Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.

1800-Flowers
Abe Books
Air Miles CA
Ameriprise Financial
Barclays Bank of Delaware
Beachbody
Bebe Stores Inc.
Benefit Cosmetics
BestBuy
Brookstone
Capital One
Charter Communications (Charter.com)
Chase
Citibank
City Market
The College Board
Crucial.com
Dell Australia
Dillons
Disney Vacations
Eurosport/Soccer.com
Eddie Bauer
Food 4 Less
Fred Meyer
Fry’s
Hilton Honors
The Home Shopping Network
Jay C
JP Morgan Chase
King Soopers
Kroger
LL Bean
Marks & Spencer (UK)
Marriott Rewards
McKinsey Quarterly
Moneygram
M&T Bank
New York & Co.
QFC
Ralphs
Red Roof Inns Inc.
Ritz Carlton
Robert Half
Scottrade
Smith Brands
Target
TD Ameritrade
TIAA-CREF
TiVo
US Bank
Verizon
Viking River Cruises
Walgreens
World Financial Network National Bank

Go there...
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/

BBB: Scammers using Epsilon data breach Video abc7chicago.com Video Link...
http://abclocal.go.com/wls/video?id=8056083

Here's the e-mail I received about it from Charter (if they really even sent it, that is)...
April 5, 2011

Dear Charter Customer,

Charter values the trust you put in us and wants to make you aware of a recent incident you may have already heard about.

Recently, Epsilon, an e-mail service provider for Charter and many other companies, let us know that limited information about some of our customers was accessed by an unauthorized individual through Epsilon’s system. This information included your name and email address, but did not include any other information you’ve provided to Charter. Your account and confidential information remains secure and no other information you’ve provided Charter was included in the breach.

We felt it was important to notify you of this incident as it relates to your account with us. Please note it is possible that you may receive SPAM e-mail messages. We want to urge you to remain cautious when opening links or attachments from unknown third parties. For additional information about how you can protect yourself online, please visit www.charter.com/security.

Charter takes your privacy very seriously. We are committed to the protection of your information, whether held by us or by our service providers. As such, Charter and Epsilon have begun a comprehensive review of their data security protocols to further protect your information and are working with law enforcement to catch the criminals responsible for this breach.

Thank you for being a valued Charter customer.

Sincerely,

Christin S. McMeley, Chief Privacy Officer - Charter Communications
Christin S. McMeley, Chief Privacy Officer
Charter Communications

Now, here's a very Suspisious Episilon Breach "Notification" that I received. Supposedly, from a Chase Bank who I don't deal with at all!:O

IMPORTANT INFORMATION

Chase has been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers and former customers. We sent a team to Epsilon to investigate and we are fully confident that the information accessed included some e-mail addresses, but did not include names, or any account or financial information. Because you are a former Chase customer, your e-mail address was in our database and may have been one of those accessed.

We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by e-mail.

As a reminder, we recommend that you:

    * Don't give your Chase OnlineSM User ID or password in e-mail.

    * Don't respond to e-mails that require you to enter personal information directly into the e-mail.

    * Don't respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.

    * Don't reply to e-mails asking you to send personal information.

    * Don't use your e-mail address as a login ID or password.

If you receive an e-mail from us that looks suspicious, please visit our Security Center at chase.com and click on "Fraud Information" under the "How to Report Fraud". It provides additional information on exercising caution when reading e-mails that appear to be sent by Chase.


If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
© 2011 JPMorgan Chase & Co.

Here's the actual link that the Chase.com and the Online Privacy Notice links in this E-mail goes to. Don't Go There!!! The sad thing is, that for years Web Sites have been ignoring their own Security Advice and using Site Links outside of their own Domains to track the responses to their e-mails to US. For example when they use the Epsilon e-mail Service to send e-mails to their Customers. If legit then the links will actually go to the Intended Site (ie Chase.com). But if sent by a Spammer or Phisher, then the link could go to a Drive by Virus Site. This makes link checking by just reading the link by hovering over it, basically ineffectual these days. Back in 1998, this was a good way to check links for validity (to a degree that is). Not any More!:O But still, a quick hovering of the Mouse Cursor over a link can help you at least get some Idea of where the link is going. If you already trust the e-mail as being legit that is.

Chase.com actually goes here.... Don't Go There!!!
http://notifications1.chase.com/265615987.3748.0.782

Online Privacy Notice link actually goes here... Don't Go There!!!
http://notifications1.chase.com/265615987.3748.0.309

I traced http://notifications1.chase.com/265615987.3748.0.782 with ZenMap. A Graphical App for Nmap a free and Open Source utility for Network Exploration and Security Auditing. But, got this Error...
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 19:51 CDT
NSE: Loaded 36 scripts for scanning.
Invalid host expression: http://notifications1.chase.com/265615987.3748.0.782 -- colons only allowed in IPv6 addresses, and then you need the -6 switch
QUITTING!

So, I took out the "http://" ... I forgot you don't need this in Nmap. This is the Results on my Nmap Scam of notifications1.chase.com/265615987.3748.0.782

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 20:10 CDT
NSE: Loaded 36 scripts for scanning.
Illegal netmask value, must be /0 - /32 . Assuming /32 (one host)
Initiating Parallel DNS resolution of 1 host. at 20:10
Completed Parallel DNS resolution of 1 host. at 20:10, 0.10s elapsed
Initiating SYN Stealth Scan at 20:10
Scanning notifications1.chase.com (159.53.53.20) [1000 ports]
Discovered open port 80/tcp on 159.53.53.20
Increasing send delay for 159.53.53.20 from 0 to 5 due to 11 out of 26 dropped probes since last increase.
Completed SYN Stealth Scan at 20:10, 20.28s elapsed (1000 total ports)
Initiating Service scan at 20:10
Scanning 1 service on notifications1.chase.com (159.53.53.20)
Completed Service scan at 20:10, 0.00s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against notifications1.chase.com (159.53.53.20)
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
WARNING: RST from 159.53.53.20 port 80 -- is this port really open?
Initiating Traceroute at 20:10
Completed Traceroute at 20:10, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:10
Completed Parallel DNS resolution of 2 hosts. at 20:10, 11.07s elapsed
NSE: Script scanning 159.53.53.20.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:10
Completed NSE at 20:10, 5.38s elapsed
NSE: Script Scanning completed.
Nmap scan report for notifications1.chase.com (159.53.53.20)
Host is up (0.0030s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open http?
Device type: firewall
Running: ZyXEL ZyNOS 3.X
OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62)
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT     ADDRESS
1   1.93 ms 192.168.0.1
2   7.59 ms 159.53.53.20

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.37 seconds
           Raw packets sent: 2069 (93.556KB) | Rcvd: 1022 (40.900KB)

Then I scanned just, notifications1.chase.com and got this...

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 20:15 CDT
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 20:15
Scanning notifications1.chase.com (159.53.53.20) [8 ports]
Completed Ping Scan at 20:15, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:15
Completed Parallel DNS resolution of 1 host. at 20:15, 0.07s elapsed
Initiating SYN Stealth Scan at 20:15
Scanning notifications1.chase.com (159.53.53.20) [1000 ports]
Discovered open port 80/tcp on 159.53.53.20
Increasing send delay for 159.53.53.20 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 159.53.53.20 from 5 to 10 due to max_successful_tryno increase to 6
Warning: 159.53.53.20 giving up on port because retransmission cap hit (6).
Completed SYN Stealth Scan at 20:16, 32.48s elapsed (1000 total ports)
Initiating Service scan at 20:16
Scanning 1 service on notifications1.chase.com (159.53.53.20)
Completed Service scan at 20:17, 72.87s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against notifications1.chase.com (159.53.53.20)
Retrying OS detection (try #2) against notifications1.chase.com (159.53.53.20)
Initiating Traceroute at 20:17
Completed Traceroute at 20:17, 6.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:17
Completed Parallel DNS resolution of 2 hosts. at 20:17, 0.08s elapsed
NSE: Script scanning 159.53.53.20.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:17
Completed NSE at 20:17, 5.52s elapsed
NSE: Script Scanning completed.
Nmap scan report for notifications1.chase.com (159.53.53.20)
Host is up (0.059s latency).
Not shown: 880 closed ports, 119 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open http?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=5.21%I=7%D=4/8%Time=4D9FB363%P=i386-redhat-linux-gnu%r(Get
SF:Request,7C,"HTTP/1\.1\x20301\x20Moved\x20Permanently\r\nLocation:\x20ht
SF:tp://www\.jpmchase\.com\r\nConnection:\x20close\r\nP3P:\x20CP=\"NOI\x20
SF:COR\x20ADMa\x20OUR\x20IND\x20UNI\"\r\n\r\n")%r(FourOhFourRequest,7C,"HT
SF:TP/1\.1\x20301\x20Moved\x20Permanently\r\nLocation:\x20http://www\.jpmc
SF:hase\.com\r\nConnection:\x20close\r\nP3P:\x20CP=\"NOI\x20COR\x20ADMa\x2
SF:0OUR\x20IND\x20UNI\"\r\n\r\n");
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Uptime guess: 348.729 days (since Sun Apr 25 02:47:30 2010)
Network Distance: 15 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   1.94 ms 192.168.0.1
2   ... 14
15 76.44 ms 159.53.53.20

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.25 seconds
           Raw packets sent: 2145 (99.484KB) | Rcvd: 936 (38.072KB)

Is this a Sub Domain of Chase.com or a Rouge Site that is Dangerous. I can't tell. Can you? Some site Scans give more information, which helps you to see if they are Legit Sites that you can Trust. But others don't. So, the email I got Supposedly from Chase.com. Who I don't do business with, is still very Suspicions to me!

Don

April 5, 2011 4:00 AM PDT

Were you affected by Epsilon data breach?

by Erica Ogg

The list of customers affected by the Epsilon database breach continues to grow.

The breach, which took place last week but was announced over the weekend, compromised the e-mail addresses and some names belonging to the customers of many major U.S. companies that outsource their marketing and e-mail communications to Epsilon.

The company said Monday that 2 percent of the companies it counts as clients are affected by the security breach. There is no official list of affected companies that's available, and a company spokesperson said Epsilon cannot release the names of its clients. Epsilon is in the midst of conducting an investigation of what led to the security breach.

The list of Epsilon clients whose customer e-mail addresses were stolen is not complete, and is likely to grow. But so far Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy have notified their own customers about the breach. Hilton Hotels and Ethan Allen are also said to be affected.

Here are some tips on what to do if you did receive an e-mail from one of the companies above or if you believe one of them does have your e-mail or name, and what could happen next.

How do you know if you're affected?

Read More and See Videos...
http://news.cnet.com/8301-31021_3-20050555-260.html