Warning issued about phishing campaigns involving legitimate email marketing platforms
Share this article on:
A recent data breach at email marketing platform provider Mailchimp has triggered a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.
The breach came to light when cryptocurrency hardware wallet provider Trezor investigated a phishing campaign targeting its customers who used email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp .
Mailchimp’s investigation confirmed that the threat actors managed to compromise the internal accounts of its customer support and account administration teams, and although those accounts are now secure, the attackers were able to access the accounts of 300 Mailchimp users and were able to extract audience data. of 102 of these accounts. The attackers also obtained API keys that allow them to create email campaigns to use in phishing attacks without having to access customer portals.
Because accounts used by Mailchimp customers to send marketing campaigns such as newsletters can be whitelisted by subscribers, any phishing campaign conducted using the compromised accounts can see emails delivered within inboxes. HC3 says it is aware of only one phishing campaign conducted using a compromised account, which targeted users in the cryptocurrency and finance industries, but there is a risk that campaigns are also conducted targeting users in the health and public health (HPH) sector. .
HC3 recommended that organizations in the HPH sector take action to mitigate the threat. HC3 says the best defense is user awareness training because phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and instructed to be wary of emails sent through Mailchimp. Although phishing emails can be sent, malware can also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.
Anti-spoofing and other email authentication mechanisms are also recommended. These include checking the validity of the sender’s domain using SPK, checking message integrity using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.