Internet Security: What to Do If You’ve Been “Brandjacked” via MailChimp

Over the last few weeks, SCA has seen a huge rise in the number of phishing/criminal emails that have been sent out via Mailchimp and in the broader public domain, brands such as apps specialist Zoho and Car insurance provider Bingle have all been hit upon.

In every case the aim is to get an unsuspecting recipient to click on a seemingly authentic link which will then:

• Take you to a compromised website
• Attempt to steal further information
• Install malware or adware on a third-party computer or mobile device

The trusted relationship and its Achilles heel

MailChimp is one of the world’s leading and most trusted emailing and newsletter broadcast systems and is used by businesses worldwide to keep in touch with their customers and prospects.

It deploys email campaigns on behalf of its many thousands of customers, with campaigns often timed to ensure optimum delivery. But because of that, MailChimp’s servers are also trusted by thousands of mail providers, which is why the current problems are so serious and widespread.

Clearly, MailChimp is going to do what it can to stop criminals from using its services, but the issue is that the criminals are not opening up accounts with MailChimp - what they’re doing is stealing accounts that are already in use and were created by businesses themselves.

There are multiple victims here – the account holder who loses brand reputation and control of their MailChimp account but also the people who are the targets of the malicious emails.

How it works

Once they’ve hacked the MailChimp account, the cyber criminals will:

·      Import lists of targets for their criminal activity – i.e. potential victims.

·      Compose an email campaign aimed at these targets. (The campaign may be based on an existing template you have, which is why the process is often called ‘brandjacking’).

·      Send the campaign/email.

Unlike many of the phishing emails we’ve all seen, the messages tend to be well written and coherent, and they’ll often take advantage of MailChimp’s own technology in the process. For example, they’ll utilise the ability to include real names in the salutation and an attachment stored as a linked file on the MailChimp servers.

The phishing emails will, however,   bear some of the hallmarks of less sophisticated phishing emails, like an odd sense of urgency or references to a specific business transaction (“your order has shipped…”, “your account is overdue…”, “your statement is attached”, “you have overpaid…”) to raise your concern as the recipient and to trick you into clicking on the malicious links they’ve sent you.

The email will be topped and tailed like any MailChimp email – so it will have your ‘trusted brand’ at the top, as well as seemingly genuine sender details, business addresses and unsubscribe links at the bottom. In fact, the unsubscribe link at the bottom is a genuine MailChimp unsubscribe link, but we do not recommend using it because it could alert the criminals to you having read their email and they may then manually target you as a result.

In any case, there is no need to unsubscribe because after the ‘criminal campaign’ has been sent out, MailChimp will quickly look to lock the account out and prevent any similar actions. Of course, this is a case of closing the stable door after the horse has bolted and the criminals will just move on to another MailChimp account they’ve hacked their way into.

How to protect your account

Most of the MailChimp accounts being compromised probably have passwords that have been used elsewhere – and once those passwords are known hackers will try every service imaginable with “your email address” and “the password you use everywhere”, including on MailChimp.

As a first step - If your MailChimp password is not unique, change it to a unique, complex password. (Find out more about creating strong passwords here : https://sca-group.co.uk/internet-security-the-3-rules-for-creating-strong-passwords )

Next - Activate two-factor authentication (2FA). MailChimp has been supporting 2FA for a while but it’s not currently mandatory.

2FA works by using an authenticator app on your smartphone (I recommend Google Authenticator) to generate a unique, frequently changing number which you enter when you log into your MailChimp account. Traditionally, these services tend to be used mainly for online banking purposes but they’re equally useful for any other form of online service.

MailChimp has two sets of controls around two-factor authentication. 2FA is initially used to log into MailChimp but it’s also used to protect OTHER MailChimp accounts you may have access to. 

If your MailChimp account is shared by other people (your marketing department or your assistant, for example) you can also specify that your MailChimp account (with all its lists and campaigns) needs the other authorised users to have 2FA enabled on their accounts as well before they can access your account.

I recommend turning on 2FA initially on your own account, enforcing it on any ‘non-shared’ accounts, then letting any co-workers, support staff or agencies know they will need 2FA on their accounts before you ‘enforce’ it across the board a week or so later. Be sure though not to do this last step too early or you’ll find various people suddenly unable to continue working for you as they had been.

As Mailchimp supports multiple users per account, I don’t recommend you have an agency, assistant or marketer work with MailChimp using your logon details. My recommendation is to have them use their own MailChimp accounts and then share your account out. That way, you’ll maintain more control and your 2FA will work properly and as intended.

If you are concerned about protecting your business online or have any questions, please feel free to connect with me or drop me a message here on LinkedIn.

For more information about protecting against cyber-attacks please read here: https://sca-group.co.uk/cyber-attacks-lessons-must-learned