Epsilon fixing up hidden email spoofing weakness

Fix for extended domain use leaves email marketer’s clients open to spam abuse.

Epsilon Interactive, the US online marketing company whose data breach last year sparked an investigation into Dell Australia, has been caught out by a flawed fix for weak cryptographic keys that are used to verify the authenticity of emails it sends on behalf of clients.

Epsilon’s problem, which leaves its clients open to fraudsters using its domain name for spam, stems from an attempt back in 2011 at implementing longer cryptographic keys in the email signing protocol DomainKeys Identified Mail (DKIM), according to a report from <i>Wired</i>.

The DKIM protocol was developed in 2004 to combat spammers that fraudulently use popular domain names to phish victims. The DKIM standard recommends a minimum of 1024-bit keys and is meant to verify, via domain name service (DNS) records, that an email comes the organisation it is said to. The protocol can be used to extend that authority to a third-party that sends email on behalf of the DNS occupant.

DKIM hit headlines last week after Google, Microsoft and Yahoo moved to meet the minimum 1024-bit length for DKIM deployments in their respective email systems to remove the risk of their domains being used for spam.

In Google’s case it was reportedly using a 512-bit key -- small enough to allow security researcher and mathematician Zach Harris to “factor” it within a few days and spoof an email from Google co-founder, Sergey Brin.

Epsilon is currently fixing a similar problem, which is actually a hangover from one it thought it had fixed last year.

A few months after Epsilon’s unrelated 2011 data breach, the company was told by US CERT that it was using a 384-bit key in its DKIM implementation -- a key length that Harris told <i>Wired</i> he could factor in 24 hours using his laptop.

Upon receiving the alert from US CERT, Epsilon had re-issued 1024 bit keys for its clients’ emails, but failed to remove the older 384-bit key from its DNS records, which meant that Epsilon’s clients still had the weak key in their subdomains, leaving their online brand exposed to spoofing.

A spokesperson for Epsilon denied to Wired the failure to remove the key was “negligence”, adding that it did not know that the vulnerability would remain if the old key was still there.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags emailEpsilon

Show Comments