Using Mailchimp makes malware campaigns a little bit more successful

Posted by   Martijn Grooten on   Mar 6, 2018

Sending one email is easy. Sending thousands or millions of emails is hard: one effect of the anti-spam infrastructure we have collectively built is that the process of sending email scales very badly (even for those who only send legitimate messages). This is why companies tend to outsource their mail delivery operations to email service providers (ESPs) – these handle unsubscribe requests, bounces, and deal with the occasional but inevitable listing of the mail servers on DNS blacklists.

In the main, these ESPs manage to avoid having spammers as their customers, but occasionally spammers find a backdoor into an ESP's systems. Recently, one of the largest ESPs, Mailchimp, was found to have been used in this way: My Online Security wrote about it yesterday, while Libra Esva covered the subject in January.

It is unclear how spammers managed to gain access to Mailchimp's systems; possibilities range from a vulnerable third-party plug-in that integrates into Mailchimp, to a vulnerability in Mailchimp itself, or customer credentials being stolen through a phishing attack.

mailchimpspam.png

The latest campaign sent emails claiming to link either to an invoice or a fax. In theory, this makes an email harder to block than if an attachment had been present, as email security products scan attachments, but typically avoid inspecting links beyond the URL.

In practice, while some email security products in our test lab did indeed miss the emails, the majority correctly marked them as unwanted. And even in cases where users did receive and open the email, they would have had to download the attachment in order for the payload to be executed. When I tried to do so, the URL was blocked by Google Chrome, and when I managed to bypass that detection, the payload turned out to have been removed from the (compromised) website. Even if successfully downloaded, the malware still would have had to bypass an endpoint security product.

Pulling off a successful malware campaign is a lot harder than it may seem. This is why malicious spam campaigns – still one of the most common ways for malware to spread – rely on very large numbers to begin with. Being able to break one part of the 'kill chain', for example by using the servers of a legitimate mailer, does pay off, but most users would still be protected against the attacks.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Programme for VB2019 Threat Intelligence Practitioners' Summit announced

In the mini-summit, which forms part of VB2019 (the 29th Virus Bulletin International Conference), eight sessions will focus on all aspects of threat intelligence collecting, using and sharing.

Guest blog: TotalAV uncovers the world’s first ransomware

In a guest blog post by VB2019 Silver partner TotalAV, Matthew Curd, the software’s Technical Expert, considers the changes in the cybersecurity landscape.

Guest blog: Targeted attacks with public tools

Over the last few years SE Labs has tested more than 50 different security products against over 5,000 targeted attacks. In this guest blog post Stefan Dumitrascu, Chief Technical Officer at SE Labs, looks at the different attack tools available, how…

VB2019 preview: Small Talks

We preview the five Small Talks on the VB2019 programme in which important topics are discussed in a less formal atmosphere.

VB2019 preview: Problem child: common patterns in malicious parent-child relationships

We preview the VB2019 paper by Endgame researcher Bobby Filar, who created a graph-based framework designed to detect malicious use of legitimate binaries through parent-child relationships.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.