Despite email marketing service MailChimp having security controls in place to ensure that its account holders do not use the service to share spam; yet, this week malicious spam emails were broadcast from multiple accounts after a MailChimp account hack.
Customer accounts that were impacted included Business News Australia, Brisbane’s The Sit Down Comedy Club, and gardening and home services supplier Jim’ Group.
MailChimp accounts are sought after by spammers as subscribers to company newsletters are more likely to trust the emails than they would an email from an unknown sender. The hijacked accounts were used to share spam emails demanding an invoice be settled. Hackers often target businesses with malicious emails that share malware. If malware such as a keylogger can be installed, the hackers can obtain access to corporate email accounts or gain network access. Corporate bank account details can be stolen and fraudulent transfers completed.
A fake invoice is a widely witnessed ploy used to trick email recipients into clicking on an infected email attachment or visit a malicious link. A sense of urgency is often instilled, using the email wording, to scare the recipient into opening the attachment. A threat of legal action if the outstanding invoice is not paid promptly is a typical tactic.
In this case, an amount of different variants were sent. Some emails included an image with an embedded hyperlink which recipients could click to view the invoice. The cybercriminals also included the logo of accounting software Quickbooks for extra authenticity.
Other emails included an attached zip file which included a malicious JavaScript file. If run, the JavaScript installed malware onto the email recipient’s computer.
At first, it appeared that MailChimp had suffered a security breach that resulted in hackers obtaining access to accounts; although the company released a statement saying that an investigation of the incident did not indicate an internal breach.
MailChimp commented “MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.”
How the MailChimp account hack was completed remains a mystery. The hackers may have been able to guess the passwords that were used to secure accounts or they could have obtained those passwords by using another method. The practice of reusing passwords on a number of different platforms could be to blame. If a breach of one platform happens, cybercriminals can obtain access to all other online services that use the same identical password.
In a recent news article, computer security blogger Graham Cluley said that some passwords were obtained by the password stealing Trojan Vawtrak. Cluley was contacted by an anonymous source who said they were in possession of two thousand MailChimp login details which were recorded by Vawtrak.
Details of the MailChimp account hack are unlikely to be made available to the public, although the incident shows how important it is for companies to use two-factor authentication to safeguard their online accounts. The incident also shows how vital it is to exercise caution and to treat any email attachment of hyperlink as possibly malicious, even if the sender of the email is known.