Email marketing companies web accounts sending out malicious spam

The breach of the Atlanta-based Silverpop Systems back in December 2010 has resulted in the compromise of (some confirmed, some not) corporate mailing lists of over 100 big companies, which were then used to organize phishing campaigns.

This particular example has shown how e-mail distribution companies present an ideal target for phishers and malware peddlers who want increase the chance of their targets falling for the fake emails they send out.

Since then, there have been no high-profile breaches like the Silverpop one, but Websense warns that cyber crooks have continued to steadily use that particular approach for spamming out malicious emails.

According to the security company’s researchers, a number of email marketing organization web accounts have recently been compromised – either through phishing or brute force attacks – and have been used by the attackers to send out such emails.

Using an email sent from an email marketing company based in Argentina as an example, the researchers point out that it has been definitely sent from the email marketing company’s infrastructure.

This particular mail has been made to look like it was coming from one of the Argentinian company’s customers, and asks the targets to check the status of their (bogus) online order by following an embedded link.

Unfortunately, the link has taken them to a newly minted domain hosting a Trojan disguised as the order, and this particular piece of malware was – at the time when the spam emails were first spotted – detected by none of the AV solutions used by VirusTotal.

Just a day after these email messages were sent, the (same?) attacker compromised another account on the Argentinian company website and has registered a new domain from which to serve malware. The day after that, the attacker targeted an email marketing company based in Australia.

“Most email marketing web accounts require basic password authentication,” point out the researchers. “If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization’s information to its competitors.”

And while attacks like these allow cyber crooks to go about their business speedily and easily, one must not forget that there are other ways to make it seem that legitimate companies are sending out the offending emails: spoofing the sender’s email address.

And as it happens, the security company has quite recently spotted this particular approach being used to send out spammy emails purportedly coming from their own Websense Labs.




Share this