Using Mailchimp makes malware campaigns a little bit more successful

Posted by   Martijn Grooten on   Mar 6, 2018

Sending one email is easy. Sending thousands or millions of emails is hard: one effect of the anti-spam infrastructure we have collectively built is that the process of sending email scales very badly (even for those who only send legitimate messages). This is why companies tend to outsource their mail delivery operations to email service providers (ESPs) – these handle unsubscribe requests, bounces, and deal with the occasional but inevitable listing of the mail servers on DNS blacklists.

In the main, these ESPs manage to avoid having spammers as their customers, but occasionally spammers find a backdoor into an ESP's systems. Recently, one of the largest ESPs, Mailchimp, was found to have been used in this way: My Online Security wrote about it yesterday, while Libra Esva covered the subject in January.

It is unclear how spammers managed to gain access to Mailchimp's systems; possibilities range from a vulnerable third-party plug-in that integrates into Mailchimp, to a vulnerability in Mailchimp itself, or customer credentials being stolen through a phishing attack.

mailchimpspam.png

The latest campaign sent emails claiming to link either to an invoice or a fax. In theory, this makes an email harder to block than if an attachment had been present, as email security products scan attachments, but typically avoid inspecting links beyond the URL.

In practice, while some email security products in our test lab did indeed miss the emails, the majority correctly marked them as unwanted. And even in cases where users did receive and open the email, they would have had to download the attachment in order for the payload to be executed. When I tried to do so, the URL was blocked by Google Chrome, and when I managed to bypass that detection, the payload turned out to have been removed from the (compromised) website. Even if successfully downloaded, the malware still would have had to bypass an endpoint security product.

Pulling off a successful malware campaign is a lot harder than it may seem. This is why malicious spam campaigns – still one of the most common ways for malware to spread – rely on very large numbers to begin with. Being able to break one part of the 'kill chain', for example by using the servers of a legitimate mailer, does pay off, but most users would still be protected against the attacks.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: Behind the scenes of GandCrab's operation

The GandCrab ransomware regularly updated itself to newer versions to stay ahead of decryptors released by security researchers, and regularly included taunts, jokes and references to security organizations in its code. In a new paper, the AhnLab…

VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction

At VB2019 Juan Andres Guerrero-Saade looked at nation-state actors using threat intelligence for victim deconfliction. Today we publish both his paper and the recording of his presentation.

The VB2020 call for papers - how it works

With the VB2020 Call for Papers now open, we explain how the selection procedure works, which may help you during your abstract submission.

VB2019 presentation: Targeted attacks through ISPs

In 2019 we saw a rise in the number of targeted malware infections spread via ISPs and service providers. In a last-minute paper presented at VB2019 in London, Kaspersky researcher Denis Legezo discussed the details of a number of such cases. Today…

VB2019 presentation: A deep dive into iPhone exploit chains

In a last-minute presentation at VB2019 in London, John Bambenek of the University of Illinois at Urbana-Champaign discussed details of campaigns that used advanced iOS and Android exploit chains against China’s Uighur minority. Today we release the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.