Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Attackers taking advantage of Epsilon

View all posts > 

Attackers taking advantage of Epsilon

Posted: 14 Apr 2011 10:56 PM | Chris Astacio | 1 comment(s)

We blogged about the Epsilon data breach to give our customers a heads-up on the situation.  Recently, our ThreatSeeker® Network discovered a Web attack that takes advantage of the unfortunate news.  As with anything our ThreatSeeker Network discovers, Websense customers are protected by ACE, our Advanced Classification Engine.


The attack is hosted on a Web page that has a very professional look and feel, and uses convincing social engineering techniques to lure victims.  The attack page is basically a cut-and-paste copy of the HTML code from the original Epsilon press release. This provides the professional appearance of the Epsilon site to lure victims. The big difference is that the attack page provides a malicious binary download.


Screenshot of the Epsilon attack page:


Screenshot of the attack page source code:


The attack page tries to get visitors to download the malicious binary by convincing them that there was an update to the press release dated April 8th.  The "update" states that Epsilon's investigation into the data leak has revealed that personally identifiable information was lost in the attack. The fake update goes on to state that people can check to see if their personal information was lost by downloading and installing an "Epsilon Secure Connect Tool."  The downloaded file is called EpsilonSecureConnect.exe and has little detection as a Trojan dropper.


Aaron Hotchner said on Monday, April 18, 2011 7:32 AM

Please don't obfuscate the bad URLs.  Bad guys already know them - good guys don't.  It's an image, so there's no risk of someone accidentally clicking on it.  Thanks.

Leave a Comment


Email address: (required)