Lessons learned from the Mailchimp breach
In late March, the email marketing platform Mailchimp suffered a breach, exposing an unknown number of people to phishing attacks. The incident contains some valuable cybersecurity lessons for everyday users.
The Mailchimp data breach
The breach at Mailchimp was the result of a social engineering attack on company employees, according to tech news site BleepingComputer. The employees gave the hackers their account credentials. This allowed them to access an internal Mailchimp tool used by “customer-facing teams for customer support and account administration”.
The Mailchimp admin tool allowed the bad actors to view account data and export mailing lists from hundreds of customer accounts. They also stole the API keys for a number of accounts. In the wrong hands, an API key can be used to send spoofed emails that appear genuine.
What were the hackers after?
The bad guys targeted cryptocurrency and finance accounts. This suggests that they had a monetary goal. Given that Mailchimp is a platform for sending emails, the most likely avenue of attack for a financial scam would be phishing.
In terms of impact, Mailchimp has already confirmed that at least one “bad actor attempted to send a phishing campaign to a user’s contacts from the user’s account with information they obtained during the … attack”. In addition, Trezor, a manufacturer of cryptocurrency hardware wallets, confirmed that their users were affected by the breach. In a blog post, the company reported that some of their users received phishing emails with links to malicious software. If downloaded, the software would clean out the victim’s cryptocurrency wallet, transfering all of their funds to a wallet controlled by the attackers.
The Mailchimp breach was unfortunate, but it’s also a useful wake-up call. For one thing, it’s important to remember that any company can suffer a security breach. Huge tech companies like Twitter, vendors trusted by the government and military, and yes, even Apple have all suffered breaches in recent years.
A breach can result in phishing emails or scams that are extremely convincing. Here’s why: The security community warns people to be wary of emails that don’t originate from a known, trusted source. But in a case like this, the phishing email is coming from a trusted sender. It’s just that the sender is compromised.
Keep in mind, too, that breaches don’t just happen to companies. Hacker’s breach people’s personal accounts all the time. They use those compromised accounts to launch phishing attacks or perpetrate scams. A scammer can use a hacked social media account, for example, to send out “emergency” requests for money to unsuspecting friends and family members. There have been incidents in which hackers took over high-profile YouTube channels and used them to broadcast Bitcoin scams to subscribers.
In short, when you receive an email or message from someone, you can’t always be sure that the sender is who you think they are! That’s a disturbing thought, certainly, but there are a few basic steps you can take to keep safe:
Watch for weirdness
When you get an email or a message asking you to do something, stop and think about the request. Is it out of the ordinary: something you’ve never been asked to do by this sender? Or does it seem just a little, well, weird? If so, consider the possibility that the company or person in question may have been compromised.
Bottom line: If you’re not sure whether to click on a link, provide information, or download a file — don’t! Instead, reach out to the company or individual directly in another way and confirm that the communication is legitimate.
For example, if your bank sends you an email asking you to update something in your account area right away, dial the publicly listed customer service number and ask them if they sent the email. If your uncle sends you a Facebook message saying he’s having an emergency and needs you to wire him some money immediately, call him and ask him what’s going on.
Bad actors use compromised accounts to spread malware. It’s an excellent tactic, because when people trust the account sending them a piece of software, their guard is down. They download and run the malware without hesitation, even if they’re reasonably cyber-savvy and would never have trusted a random download link from a website.
For this reason, always practice good download safety — no matter who is sending you the software! Avoid iOS apps that aren’t in the App Store. On a Mac, try to download from the Mac App Store or directly from an app developer’s website. Use checksums to verify apps whenever possible.
Finally, if your computer warns you about something you’re trying to install or run, don’t ignore it! For example, Trezor, one of the companies affected by the Mailchimp breach, says that their hardware wallet’s OS would have known that the malware was from an unknown source, and warned any user who tried to install it. The only users who got infected were the ones who ignored that warning. Your Mac has a similar security feature: macOS can tell if there are code-signing issues with an app, and will tell you if the software can’t be verified. If you see that warning, don’t bypass it — it’s a sign that something isn’t right!
Phishing attacks often focus on stealing user login credentials. You can add a layer of protection to all of your accounts by using two-factor authentication (2FA).
When you use 2FA, you use your ordinary password to log in to your account, but you also need a second authentication factor to complete the login. Nowadays, this second factor is almost always going to be your mobile device. If a bad guy gets your password and tries to access your account, they’ll be prompted to enter an authentication code — a code that they won’t have, because it’s tied to the mobile device in your pocket.
There are various implementations of 2FA. SMS-based 2FA is definitely better than a password alone, and is probably the easiest to set up for most people. But there are some known vulnerabilities to this type of 2FA, which is why most security experts prefer to use app-based 2FA if possible.
In general, the best way to protect yourself from payment scams is to avoid sending people money in an insecure way. Gift cards, cryptocurrency, and money transfer services like Western Union are great in some cases. But when it comes to making a donation or paying for something online, they’re very risky. Why? Because if you get scammed, there’s no way to get your money back.
Credit cards are far better, since you can dispute a fraudulent charge and get your credit card company to reverse the payment. Digital options are even more secure, from online payment services like PayPal to e-wallets like Google Pay and Apple Pay.
Bottom line? If a payment method won’t let you get your money back from a scammer, don’t use it!