Using Mailchimp makes malware campaigns a little bit more successful

Posted by   Martijn Grooten on   Mar 6, 2018

Sending one email is easy. Sending thousands or millions of emails is hard: one effect of the anti-spam infrastructure we have collectively built is that the process of sending email scales very badly (even for those who only send legitimate messages). This is why companies tend to outsource their mail delivery operations to email service providers (ESPs) – these handle unsubscribe requests, bounces, and deal with the occasional but inevitable listing of the mail servers on DNS blacklists.

In the main, these ESPs manage to avoid having spammers as their customers, but occasionally spammers find a backdoor into an ESP's systems. Recently, one of the largest ESPs, Mailchimp, was found to have been used in this way: My Online Security wrote about it yesterday, while Libra Esva covered the subject in January.

It is unclear how spammers managed to gain access to Mailchimp's systems; possibilities range from a vulnerable third-party plug-in that integrates into Mailchimp, to a vulnerability in Mailchimp itself, or customer credentials being stolen through a phishing attack.

mailchimpspam.png

The latest campaign sent emails claiming to link either to an invoice or a fax. In theory, this makes an email harder to block than if an attachment had been present, as email security products scan attachments, but typically avoid inspecting links beyond the URL.

In practice, while some email security products in our test lab did indeed miss the emails, the majority correctly marked them as unwanted. And even in cases where users did receive and open the email, they would have had to download the attachment in order for the payload to be executed. When I tried to do so, the URL was blocked by Google Chrome, and when I managed to bypass that detection, the payload turned out to have been removed from the (compromised) website. Even if successfully downloaded, the malware still would have had to bypass an endpoint security product.

Pulling off a successful malware campaign is a lot harder than it may seem. This is why malicious spam campaigns – still one of the most common ways for malware to spread – rely on very large numbers to begin with. Being able to break one part of the 'kill chain', for example by using the servers of a legitimate mailer, does pay off, but most users would still be protected against the attacks.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Office bugs on the rise

At VB2018 Sophos researcher Gábor Szappanos provided a detailed overview of Office exploit builders, and looked in particular at the widely exploited CVE-2017-0199. Today we publish his paper and release the video of his presentation.

VB2018 video: The Big Bang Theory by APT-C-23

Today, we release the video of the VB2018 presentation by Check Point researcher Aseel Kayal, who connected the various dots relating to campaigns by the APT-C-23 threat group.

VB2019 London - join us for the most international threat intelligence conference!

VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

VB2018 paper: Tracking Mirai variants

Today, we publish the VB2018 paper by Qihoo 360 researchers Ya Liu and Hui Wang, on extracting data from variants of the Mirai botnet to classify and track variants.

VB2018 paper: Hide'n'Seek: an adaptive peer-to-peer IoT botnet

2018 has seen an increase in the variety of botnets living on the Internet of Things - such as Hide'N'Seek, which is notable for its use of peer-to-peer for command-and-control communication. Today, we publish the VB2018 paper by Bitdefender…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.