Yesterday, we updated on our report around the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches. Our original post is here, and yesterday’s post is here. As of yesterday, we determined that Return Path was also targeted and victimized by the perpetrators as were ESPs. We promised to keep you up to date on our investigation – here is what we’ve learned over the past 24 hours.
First, we have identified the likely path that the perpetrators took to get into one of our systems. We immediately closed that path and rounded up all the data we have about the systems and IPs used by the criminals to enter our systems. It appears that one of our employees clicked on a phish email message, responded to an alert by our IT group about the phishing campaign, and was promptly disconnected from the network. The employee’s system was properly scrubbed, but in the short time between infection and scrubbing, the perpetrators of the phishing campaign had obtained a list of 13,000 email addresses registered in our system by our clients for system alerts. The list consists of employees at Email Service Providers as well as many email marketers at client companies, but as I mentioned yesterday, does not include any consumer databases or other personal information, as Return Path doesn’t have that kind of data in our system. We have spoken with a security consulting firm who will be helping to ensure we have taken every possible measure to deal with this, and potential issues. We will begin to work with them as quickly as we can. Summary of item 1: we were robbed, we have installed a new deadbolt on the door that was broken into, and we are working with the authorities to find the perpetrator.
Second, as noted above, this phishing campaign has been going on for several months now and has claimed several victims independent of Return Path’s data being stolen; however, we are acting as if any of the current phishing attempts on any of the names taken from Return Path are partially our responsibility. We recognize that the potential downstream effects here (e.g., a compromise of an ESP’s system) are more worrisome than the specific breach of our own system. In fact, the deployment of phishing campaigns using our list in the past 72 hours has been via at least two separate ESPs. Summary of item 2: we are working diligently and speedily to notify potential victims of the phishing attack and collaborate with them on both proactive and reactive measures to secure their own systems.
Third, while we are sending out more detailed and specific client and partner communication shortly, there are a couple of things worth sharing with the general readership of this blog. This is a copy of the text of one of the known phish messages (see our original blog post for a variation on this):
Hey Fred, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:
Let’s keep in touch then.
Love, Michelle & Brian
We have seen similar malware & phishing attempts coming from a few well-known online greeting card services, and other examples pretending to be from such services. The spam has also changed to be a fraudulent email for Adobe products.
If you see emails like these, you should immediately forward it to your IT staff and delete it from your system (and from your deleted folder). In general, of course, you should never click on any links in emails that aren’t clearly identifiable as being sent by people or organizations that you know and trust. Also, if you are in any way connected with the email industry, even if you are not a Return Path client, it’s worth doing a full anti-virus scan of your computer and changing all of your passwords to sensitive internal and external web sites. Unfortunately, the only way to guarantee that the viruses have been removed from a user computer is to wipe the drive clean. We have confirmed this with top anti-virus consultants. Anti-virus software removal facilities may not properly clean an infected computer. Summary of item 3: Phishing attacks are very hard to prevent, and individual users need to be on high alert about them and do their part to shut them down.
As I said yesterday, we will keep the email ecosystem posted on material developments in this case. Although we are not the only company who has been successfully phished, we are both embarrassed by and apologetic for our role in this attack and are working diligently to protect our systems, our users, and our users’ downstream customers, from any further harm.