Mailchimp: Crook stole cryptocurrency clients' mailing-list subscriber info

Staff socially engineered into handing over internal system credentials


Mailchimp has confirmed a miscreant gained access to one of its internal tools and used it to steal data belonging to 100-plus high-value customers.

The clients were all in cryptocurrency and finance-related industries, according to Mailchimp. "Our findings show that this was a targeted incident," the mailing-list giant's CISO Siobhan Smyth said in a statement to The Register on Monday.

Rumors of the intrusion surfaced on Twitter over the weekend: on Sunday, hardware cryptocurrency wallet maker Trezor, whose website is trezor.io, warned someone was sending out emails from noreply[at]trezor[dot]us containing a link to malware designed to harvest wallet owners' information.

Less than an hour later, Trezor said it managed to get the domain names associated with the scam disabled, and that MailChimp said its service had been "compromised by an insider targeting crypto companies."

According to Trezor, a fraudster emailed its mailing-list subscribers claiming there had been a security breach, and that a new version of Trezor's software had to be downloaded and run. The message linked to what was said to be the latest Trezor Suite application, but the executable was in fact bogus, and instead sought to obtain a victim's recovery seed for their wallet and possibly other information.

Presumably, someone compromised Mailchimp to extract the email addresses of everyone who had signed up to Trezor's Mailchimp-managed mailing list, and then spammed out the phishing mail to those addresses. We're told the fraudster accessed some 319 Mailchimp accounts, and exfiltrated "audience data" from 102 of them.

According to Smyth, Mailchimp's security engineers became aware of the break-in on March 26 after a cybercriminal gained accessed to a tool that the Mailchimp customer-facing teams use for customer support and account administration.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised," she explained. In other words, someone outside gained control of a worker's internal system account and used that to get at Mailchimp account data and subscribers' contact info.

The email-slinging company terminated access to the compromised employee account, and "took steps to prevent additional employees from being affected," Smyth added.

The company began an investigation into what happened, and also hired digital forensic experts for help. And during the course of that probe, Mailchimp determined that some accounts' API keys were potentially accessed by the intruder. These API keys could be used by an attacker to launch more phishing campaigns against Mailchimp mailing list subscribers.

"Out of an abundance of caution, we disabled those API keys, implemented protections so they can't be re-enabled, and notified affected users," Smyth said. 

In addition to saying that Mailchimp notifies account owners of any unauthorized account access as soon as possible, Smyth recommended netizens adopt two-factor authentication to keep their online accounts secure.

"We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers," she added. "We're confident in the security measures and robust processes we have in place to protect our users' data and prevent future incidents."

Mailchimp is just the latest big firm to experience a computer security breach in recent months. It now joins the ranks of software consultancy Globant, mattress vendor Emma Sleep Company, and identity services provider Okta, among others. ®


Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022