I’m sure many of you are familiar with the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches. Return Path was recently a victim of this same attack. So far, we have three blog posts on our client/marketer blog about this – you can read them here from November 24, November 25, and November 26.
http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-aimed-at-esps http://www.returnpath.net/blog/intheknow/2010/11/security-alert-update-on-esp-phishing-attack http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-update In short, a relatively small list of our clients’ email addresses was taken from us, meaning those addresses are now the targets of the phishing campaign that are intended to compromise those client systems. To be sure, many of those addresses have been targets of this campaign and others like it for months prior to the attack on the Return Path system, since this campaign is specifically seeking out and attacking the email marketing and ESP community. But we are assuming, and behaving as if, any fresh campaigns are likely somehow linked to the data breach on our end. Data was taken from us, and that security hole is now closed. However, some of our clients that are being attacked send mail from IP addresses that are Certified by Return Path. Since we jumped on this issue on the Wednesday before Thanksgiving, we have identified two sending system compromises of two of our clients. Our monitoring caught these compromises, and the compromised IPs have been removed from the Certified list. As you might expect, investigating a data breach of this kind takes a tremendous amount of post-hoc forensic work, so it’s taken us a little while to get our arms around exactly what happened. That part isn’t particularly interesting. Here’s what those two compromises looked like, what we’ve done about them, what we’re doing to monitor more aggressively for future compromises, and what we’d like to ask of you. [more] http://www.returnpath.net/blog/received/2010/11/phishing-attack-an-open-letter-to-the-anti-spam-and-mailbox-operator-community/ -- Neil Schwartzman Senior Director Security Strategy, Receiver Services Tel: (303) 999-3217 AIM: returnpathcanuk http://www.returnpath.net/blog/received/ Help the poor help themselves. Fund a small business with micro-loans at http://www.kiva.org/team/returnpath
