A mass spear phishing attack could await victims of the recently publicised data breach at discount online broker TD Ameritrade, IT security experts warned.
The US-based brokerage revealed on Friday that the names and contact details for 6.3 million customers was exposed when hackers infiltrated a database.
No Social Security numbers, account information or other sensitive information was hijacked in the attack, discovered by the company several weeks ago.
But the information taken could still be used to propagate identity theft, experts from Sophos said
"Hackers are now in possession of 6.3 million email addresses for people that they know are interested in trading shares," Graham Cluley, senior technology consultant for Sophos, said. "This knowledge alone could spur the creation of highly targeted spam emails, such as pump-and-dump scams.”
Carl Banzhof, vice president and chief technology evangelist at McAfee, said that the cyberthieves likely used SQL injection tactics to infiltrate the database, harvesting email addresses
"Once you have that information, you can craft an email message that looks very convincing to a customer and trick them into giving up more information," he said.
TD Ameritrade said it discovered the breach after customers told the company they had received spam offering unsolicited investment advice.
Company spokeswoman Kim Hillyer said that a small number of clients notified Ameritrade about the junk mail.
"Through the course of investigating that, a few weeks ago, we discovered unauthorized code on our system," she said.
This multi-stage attack is similar to the recent theft at Monster.com in which thieves stole the email credentials of some 1.3 million job seekers.
Ray said controls should have been in place to prevent the Ameritrade compromise
"One would assume that in this day and age of Sarbanes-Oxley and other regulations, [Ameritrade] would have human beings and physical hardware and software in place to detect this sort of thing," he said.