Intuit has warned its customers to be on the alert for identity theft scams, after a breach at a major marketing firm put millions of email addresses in hackers' hands.
Although the maker of the popular TurboTax tax preparation program and the Quicken personal financial software was not among the more than 50 companies whose customer data was stolen, it cautioned users nonetheless.
"Intuit is not an Epsilon customer so the information you have entrusted with Intuit is not affected," the company said in an alert published Tuesday on its site. "However, Epsilon serves many large organisations including banks, insurance companies and retailers [and] you may have received one or more notices from companies you do business with who are clients of Epsilon."
Epsilon Interactive acknowledged last week that attackers made off with customer email addresses and names, but has not shared much more than that. Others, including the IDG News service, however, have confirmed that dozens of companies have notified their customers that their information may have been filched.
The popularity of tax-related cons may have prompted Intuit's move, said Ed Cohen, vice president of corporate development at SonicWALL, a network security company. It's certainly the right time of the year for tax scams.
"There's actually little correlation between the volume [of tax-oriented schemes] and April 15," said Cohen, talking about the traditional tax filing deadline in the US. "We actually see more of an uptick after the 15th, in the May or June time frame, with fake refund notifications."
In years past, criminals have pumped out messages about tax refunds to dupe people into divulging personal information, like their online bank account username and password, or their credit card numbers. Cohen expects the same this year.
"We'll find out more in the days and weeks ahead, but this does appear scary," said Cohen about the Epsilon breach. "[Criminals] not only have email addresses, but also names, which puts the advantage in the hands of scammers."
With both, scammers can craft more convincing emails that not only appear to come from the customer's bank or favorite retailer, but also identify the recipient by name. "The economics are such that they need only a very, very small percentage of people to fall for a phishing attack to make money," Cohen said.
And that's not hard: According to data from SonicWALL's online phishing quiz, people incorrectly identify fake and legitimate emails 22% of the time.
Another possibility is that hackers will use the combination of the Epsilon addresses and tax refunds to try to break into corporate networks. Other security experts, for example, have said that the Epsilon breach will produce a spike in targeted attacks, ones aimed at specific individuals, using the addresses and names to craft convincing messages that get recipients to open a malicious file attachment or click on a malware-infected link.
That's how hackers beat the defences of RSA Security.
"The [fake] messages from the IRS or a bank may not even have money as their direct objective," said Cohen. "In the RSA attack, what they really wanted was corporate access. The attackers got through because an employee 'unjunked' an email and opened an attachment, which planted malware."
A message claiming the recipient has a larger than expected refund coming would make a perfect vehicle for attacks on the RSA model, Cohen argued. "They're not always after bank info," he said. "These are smart guys. Whether it's tax-related or not, we'll be seeing the Epsilon email addresses being used."