Email newsletter distribution service MailChimp has promised to act on the abuse of accounts to send (frequently) malware-tainted spam.
Security experts have been complaining with increasing frustration that the problem has been going on for months. MailChimp is widely used for sending newsletters, bulletins and in some cases invoices and order confirmations.
Tainted messages sent through the MailChimp network are a particular problem because they will pass authentication checks. In addition, email providers routinely whitelist MailChimp. Taken together this means that any dodgy messages sent through the service are much more likely to reach recipients' inboxes than might otherwise be the case.
Crooks are hacking into MailChimp’s network to send fake invoices and malware-tainted emails, as illustrated in a blog post by UK security blogger My Online Security here. In one case, Red Bull Records' MailChip account was breached, and the database abused to send Apple-themed phishing emails.
“It is unclear how spammers managed to gain access to MailChimp's systems; possibilities range from a vulnerable third-party plug-in that integrates into MailChimp, to a vulnerability in MailChimp itself, or customer credentials being stolen through a phishing attack,” said Martijn Grooten, editor of industry journal Virus Bulletin and some-time security researcher, in a blog post.
UK-based infosec guru Kevin Beaumont complains that the MailChimp network has been used to deliver the Gootkit banking malware for four months since December 2017.
"If @MailChimp can’t get Gootkit delivery under control by April, I’m going to advise businesses block all MailChimp email delivery, and provide instructions around how to do this in practice," Beaumont said in a Twitter update.
In response to queries from El Reg, MailChimp acknowledged the problem and said that unspecified security initiatives would address it. In the meantime, users should lock down their accounts by applying two-factor authentication, it advised.
We are taking it very seriously that our platform is being used in this way. While we can’t comment on specific security initiatives, we can tell you that a team is working full time to investigate and address the issue as quickly as possible.
We are also working to educate impacted users around two-factor authentication and other account security measures. We expect to see an improvement soon.