Fallout from Epsilon email breach?

Like many folks, I’ve gotten emails from many companies I do business with online letting me know that their email databases have been compromised by hackers. The breach took place at an email marketing company called Epsilon. Here’s one notification I received from Marriott:

April 4, 2011

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

Please visit our FAQ to learn more.

Sincerely,

Marriott International, Inc.

I also received one from Hilton and saw an online notice on the Chase website. Most of these notices state that there has been no direct leak of account information, only email addresses. That may be true, but early this morning someone tried to close a Paypal account linked with my email address and then open a new one ten minutes later:

Return-Path: < service@paypal.com >
X-Original-To: [email removed]
Delivered-To: [email removed]
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
by maestro.markturner.net (Postfix) with ESMTP id 33D30141BE
for [email removed]; Fri, 8 Apr 2011 00:38:19 -0400 (EDT)
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Received:Date:Message-Id:Subject:X-MaxCode-Template:To:
From:X-Email-Type-Id:X-XPT-XSL-Name:Content-Type:
MIME-Version;
b=U+Fw5+OpyGZLwTMpPrw2OKgrdJgUvLYVOuNm5m74aMz4NXYoOG7irTzl
VnbUGXnbZG0UxbN6r677NQFzRe/Ohm7c9E26tGSBziqEtIWVq/PCc1InF
0pG1i7MqOBt4wCGDGEcr2gzepBh5QKSbcZOHlx7xoeaud/D2GpRal1Zas
M=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=paypal.com; i=service@paypal.com; q=dns/txt; s=dkim;
t=1302237501; x=1333773501;
h=from:sender:reply-to:subject:date:message-id:to:cc:
mime-version:content-transfer-encoding:content-id:
content-description:resent-date:resent-from:resent-sender:
resent-to:resent-cc:resent-message-id:in-reply-to:
references:list-id:list-help:list-unsubscribe:
list-subscribe:list-post:list-owner:list-archive;
z=From:=20″service@paypal.com”=20
|Subject:=20Welcome=20to=20PayPal=20-=20Choose=20your=20w
ay=20to=20pay|Date:=20Thu,=2007=20Apr=202011=2021:38:20
=20-0700|Message-Id:=20<1302237500.27473@paypal.com>|To:
=20Xslon=20modem=20[email removed]|MIME-Version:
=201.0;
bh=M2OF4BNdiG249p6XRywBoD3lo5aT6t8vGYUhhAB5U4A=;
b=fJOu2mKgyP37RStz8vGyyl0060HCBqkiVH9R8GJURxMapgVpC3YPNh13
KyTvyZmyMjWg8aPotWzuAVywDp7Udrik4a95GAkgogpKiKNjPlGsxwrU1
DzfVLLqpAMCmdDUYoyDg8hX6o2OGcfY0xCr8iHU69TGHW9mItduKqyHLm
8=;
Received: (qmail 27473 invoked by uid 993); 8 Apr 2011 04:38:20 -0000
Date: Thu, 07 Apr 2011 21:38:20 -0700
Message-Id: < 1302237500.27473@paypal.com >
Subject: Welcome to PayPal – Choose your way to pay
X-MaxCode-Template: email-nofundingsource
To: Xslon modem [email removed]
From: “service@paypal.com” < service@paypal.com >
X-Email-Type-Id: PP1478
X-XPT-XSL-Name:
email_pimp/default/en_US/customer/welcome/NoFundingSources.xsl
Content-Type: multipart/alternative;
boundary=–NextPart_048F8BC8A2197DE2036A
MIME-Version: 1.0

—-NextPart_048F8BC8A2197DE2036A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252

Welcome to PayPal – Choose your way to pay

Welcome, Xslon modem

Thanks for joining PayPal.

Once you link your bank account or credit card, you=92ll speed through online checkout without exposing your financial information.

Link Now

Here’s what we have on file for you. Take a second to confirm we have your correct information.

EMAIL
[email removed]

CONFIRMATION CODE:
xxxx-xxxx-xxxx-xxxx-xxxx [removed]

ADDRESS

144 Royal Pointe Way
Mooresville, NC 28117
United States

Edit my information

(For your security, you will be taken to the PayPal homepage and be asked to log in.)

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the top right corner of any PayPal page.

I contacted Paypal this morning and was told to send the email to their “spoof@paypal.com” email address. I immediately got back a cheerful (and completely automated) reply that the email was a phishing attempt:

Hello Mark Turner,

Thanks for forwarding that suspicious-looking email. You’re right – it was a phishing attempt, and we’re working on stopping the fraud. By reporting the problem, you’ve made a difference!

Identity thieves try to trick you into revealing your password or other personal information through phishing emails and fake websites. To learn more about online safety, click “Security Center” on any PayPal webpage.

Every email counts. When you forward suspicious-looking emails to spoof@paypal.com, you help keep yourself and others safe from identity theft.

Your account security is very important to us, so we appreciate your extra effort.

Thanks,

PayPal

This email is sent to you by the contracting entity to your User
Agreement, either PayPal Ince, PayPal Pte. Ltd or PayPal (Europe) S.à r.l. & Cie, S.C.A. Société en Commandite par Actions, Registered Office:
5th Floor 22-24 Boulevard Royal L-2449, Luxembourg RCS Luxembourg B 118 349.

The problem is, I think Paypal is wrong. This email originated from a Paypal IP address: mx1.phx.paypal.com [66.211.168.231]. Indeed, my mailserver logs show a connection from that IP address:

Apr 8 00:38:19 maestro postfix/smtpd[14844]: connect from mx1.phx.paypal.com[66.211.168.231]
Apr 8 00:38:20 maestro postfix/smtpd[14844]: 33D30141BE: client=mx1.phx.paypal.com[66.211.168.231]
Apr 8 00:38:20 maestro postfix/cleanup[14850]: 33D30141BE: message-id=< 1302237500.27473@paypal.com >
Apr 8 00:38:20 maestro postfix/qmgr[2559]: 33D30141BE: from=< service@paypal.com>, size=15519, nrcpt=1 (queue active)
Apr 8 00:38:20 maestro postfix/local[14851]: 33D30141BE: to=[email removed], relay=local, delay=0.8, delays=0.77/0.02/0/0.01, dsn=2.0.0, status=sent (delivered to command: exec /usr/bin/procmail)
Apr 8 00:38:20 maestro postfix/qmgr[2559]: 33D30141BE: removed
Apr 8 00:38:25 maestro postfix/smtpd[14844]: disconnect from mx1.phx.paypal.com[66.211.168.231]

So it seems to me that someone obtained my email address and attempted to sign up a Paypal account with it. Fortunately, this person doesn’t have my credit card information to add to the account, nor has there been any suspicious activity with my accounts at this point (notwithstanding this suspicious new Paypal account).

What’s interesting is the address given to set up the account:

144 Royal Pointe Way
Mooresville, NC 28117

This home is royal, indeed. It assesses at close to a million bucks.

According to online campaign finance records, a Margaret Meade lives there.

Margaret Meade
bookkeeper
southern electric
Q3-2010
new
144 ROYAL POINTE WAY.
Mooresville, NC

Intelius reveals a little more information:

Margaret Ann Meade, age 62
Mooresville, NC

Related to
Kimberly M Shell
Judy J Meade
John F Meade
John Forest Meade

There’s a bit of info online about the Meade family.

I don’t know if the Meade family is responsible for this morning’s Paypal attempt. It’s possible that their street address was used without their knowledge just like my email address was used without my knowledge. I’ve opened up a case with the Raleigh Police Department and we’ll see what comes of it.