Over the last few weeks, we have been reporting about a malware campaign coming via the Mailchimp network. What makes this malware spreading campaign much worse and much more effective with the victims much more likely to follow links in the emails is the fact that because they come via Mailchimp, they will ALWAYS pass all email authentication checks. Email authentication only tells the recipient if the email comes from who it says it does. It does not check whether the content is spam, malware or whether the sending service or person has been hacked or compromised.
A lot of mail providers actually whitelist Mailchimp by default, because it has become almost the default service for sending newsletters, information bulletins and in many cases Company Invoices and Order Confirmations. Mailchimp use so many different sending email servers that it is almost impossible to keep, up with them. The main ones we see frequently are *.rsgsv.net | *mcsv,net | *.mcdlv.net
I along with several other researchers have not been able to pinpoint how the criminals abusing the Mailchimp network to send their malicious spam have been able to penetrate the Mailchimp network. There are several theories ranging from a possible vulnerability in the Mailchimp Plugin or API used on websites that allows somebody to sign up for newsletters etc. from the site. There was a publicly posted exploit for part of the Mailchimp plugin on Drupal recently. References:   . Some of the Mailchimp accounts belonging to companies that have been used in this malware campaign, might have been using Drupal on their websites. The majority of the “compromised” accounts I saw were using WordPress or other CMS and so far no-one has found any obvious exploits in the current or recent WordPress Mailchimp plugins.
That really leaves us with either a vulnerability on the Mailchimp system itself, where accounts are able to be accessed by unauthenticated users or the user themselves has been compromised and been a victim of a previous phishing or malware attack where their log in credentials to Mailchimp have been stolen. We cannot confirm which.
Reports that I have received tell me that once the compromised account has been accessed by the criminals they either delete the existing subscribers list and then upload their own list of email addresses to send the malware to or add the new list so both sets receive the malware email.
This comment from a victim explains it: https://myonlinesecurity.co.uk/fake-sagepay-subscription-emails-via-mailchimp-mailing-list-systems-delivering-gootkit-banking-trojan/#comment-110233
My Mailchimp account got breached, no mallware on any pc used to access the service, no login sharing, altough Two-Factor wasn’t setup (It is since the breach). I knew of the breach because my main admin got a notification email from Mailchimp at 2AM saying a 250k subscriber list was successfully imported (my normal list is of about 6k), so the attackers just import their own list into the breached account and sent it thorough there, and then just delete the sent campaign.
If these campaigns are being performed by accounts where the victim’s details are compromised by malware or phishing, then Mailchimp need to insist on 2FA by default. There is an option to use 2FA on all Mailchimp accounts, but it is not currently enforced.
2FA or 2 factor Authentication is a method where anybody logging in to an account has to also submit a verification code as well as a user name & password. The verification codes are sent to a mobile phone, land line, different email address or an already installed APP on the users computer and are time limited ONE TIME use verification codes.
If Mailchimp think that insisting on 2FA for all log ins is too difficult or puts too much strain on users of its service, then it MUST now insist on 2FA for any account changes, uploads of subscribers or new mailing lists that are imported to the account. Allowing account access to view stats, error messages etc. without 2FA carries a lower risk, but still is risky.
The other option that Mailchimp could do, if they are reluctant to force 2FA on all users, is to put in place a verification system along the lines of a double Opt In for any account changes and especially for uploads of subscriber databases or mailing lists. By making a user respond to an email with a one time use link in the email that until that link is used and the changes confirmed, nothing happens. They already send a notification email telling the account holder or admin contact of the success or failure of a subscriber list update or import. I can’t see any good reason why they can’t hold action until confirmed.
I strongly urge all companies using Mailchimp ( and similar message sending services) to make sure 2FA is enabled in their account.
There have just been far too many recent malware campaigns via the Mailchimp network for Mailchimp to bury their head in the sand and say that they quickly “fix” the problem and block the sending of emails from the affected account until it is cleaned up.
@dvk01uk Thank you for the information. When we get this kind of report, we investigate right away and take action. You can also email [abuse at mailchimp dot com] directly anytime.
— MailChimp (@MailChimp) March 5, 2018
Screenshot of tweet in case the original disappears from Twitter
That might work, to a degree, when in cases where the malware downloader has been hosted on the Mailchimp account and blocking access to the account will prevent any further infections. However in most of these campaigns , the 1st stage of the malware download is hosted on a separate compromised server, not Mailchimp.
By the time Mailchimp have received the report(s) it is too late and all the victims have already received the email with the links to the compromised servers with the consequent high risk of become infected.
This Blog post by an Italian Security Researcher from January 2108 when the malware campaign was targeted at Italian users, very well illustrates the problems
Even if you as a responsible site owner have enabled double opt in so subscribers to your mailing lists have to respond to an initial confirmation email from the Mailchimp system, That only works for genuine subscribers. If as has happened in these examples, somebody compromises the account ( or you decide to run a mass one off spam campaign) then the bulk uploaded email addresses are not verified against the double opt-in system so the spam & malware can be easily spread. This appears to me to be a serious vulnerability on the Mailchimp system.
Update: After some discussion between several security researchers, including reports on various online news sites and many tweets & messages to Mailchimp I received this reply ( other researchers & news media also received something very similar)
Thank you for the message. We know it is a problem that our platform is being used in this way, and we are taking it very seriously. A team is working full-time to investigate and address the issue as quickly as possible; we expect to see an improvement soon.
— MailChimp (@MailChimp) March 14, 2018
Lets hope they do get something fixed quickly
These are some examples of the sort of emails received by victims. Some are more believable than others. Some of the links in the emails go to the Mailchimp network to download the 1st stage malware downloader, but some go to other compromised servers away from the Mailchimp network.
You will find the posts relating to these images with full details HERE