Let me start with some full disclosure: I pay MailChimp a decent wedge of cash each month to send out newsletters to readers of my personal blog, and I’m quite a fan.
Sending email to a large number of people reliably can be fraught with problems, and I would rather spend my time creating useful or interesting articles than trying to work out why my mail server is suddenly being blacklisted, or becoming entangled in the crazy cobweb of differences in how email clients handle even the simplest HTML.
And, perhaps, most importantly of all – I want to be sure that I don’t endanger the privacy of those people who have signed up for my mailing list by having their details spill into the hands of spammers.
MailChimp is one the world’s leading firms when it comes to email marketing and newsletter delivery.
They do a good job, and their sponsorship of popular podcasts, and use of Freddie the chimpanzee mascot (his full name is apparently Frederick Von Chimpenheimer IV) has helped them to grow an impressive brand.
But you can probably imagine that alarm bells rang when I read a story on Motherboard saying that hackers had broken into business’s MailChimp accounts, and sent out emails to subscribers containing malicious links.
The emails bore the disguise of a QuickBooks invoice, and were sent to various mailing lists including subscribers of the Sit Down Comedy Club in Brisbane, Australia:
According to Motherboard, the Sit Down Comedy Club has an auto-responder on its email account, telling anyone who received the malicious email entitled “Inoice 00317” to delete it immediately:
“IF YOU RECEIVE AN EMAIL WITH THE TITLE – Inoice 00317 from Sit Down Comedy Club Pty Ltd – PLEASE DELETE the email you received, we do not use Quickbooks. It is SPAM and do not open it.”
The fact that the comedy club went to the effort of setting up an auto-response suggests that they must have received a lot of emails from folks wondering why on earth they had received an invoice from them.
Another corporate victim of the hackers was the Business News Australia website, which sent out a follow-up email to its mailing list telling subscribers to delete the malicious email. Australian security blogger Troy Hunt received the email, and in a tweet pointed a finger of suspicion at poor password security.
So, as a MailChimp customer, should I be panicking that my own account may have been compromised by hackers and might at any moment be hijacked to send out malicious invoices?
I don’t think so.
You see, I think Troy is right. This is unlikely to be a security breach at MailChimp itself. I believe that what is more likely to have occurred is that individual accounts at MailChimp were broken into through the simple means of criminals either successfully phishing for credentials, or a perennial problem like password reuse.
My hunch is that the affected MailChimp users had not adopted the additional protection of enabling two-factor authentication on their accounts.
Multi-factor authentication means that even if your password is stolen by a hacker, they should find it an uphill struggle to break into your account because they don’t have access to the (ever-changing) passcode generated by your authenticator app.
Sure enough, in a statement to Motherboard, MailChimp confirmed that it was not suffering a system-wide breach, but that instead individual accounts had been accessed by unauthorised parties in order to spam out the malicious messages:
Early this morning MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.
There really is no excuse for not enabling two-factor authentication whenever a site makes it available to you, and that’s particularly true in MailChimp’s case because they actually offer a 10% discount for customers who have chosen to secure their accounts more tightly.
A cynic might argue that offering a 10% discount for customers who use two-factor authentication is just a different way of saying that MailChimp charges 10% more for people who don’t enable two-factor authentication. And I guess that they would be right.
But it’s good marketing, isn’t it?
by Graham Cluley, ESET We Live Security