Hackers recently gained access to internal tools at leading email marketing platform Mailchimp, and made use of them in targeted phishing attacks on owners of crypto wallets.
The emails claimed to be associated with Trezor Suite, a provider of hardware crypto wallets, and attempted to trick end users into downloading malware under the guise of a security update. Mailchimp said that the breach originated with a social engineering attack and that some 319 of the firm’s customers had their accounts accessed by the hackers.
Phishing attacks attempted to access funds of Trezor Suite customers
The hackers apparently rifled through hundreds of Mailchimp accounts, but reserved most of their efforts for Trezor Suite. Formerly a web app called Trezor Wallet, Trezor Suite debuted in 2021 with a set of desktop-oriented tools designed to facilitate the movement of money and improve the security of crypto wallets.
The hackers had access to internal Mailchimp administrative and customer management tools that allowed them to send authentic-looking emails from customer accounts. Trezor customers on the mailing list reported receiving phishing attack emails claiming that Trezor had suffered a security breach and that customers would need to update a new version of the hardware wallet and reset their PIN. Naturally, the linked file was malware attempting to gain access to their crypto wallets. As of April 3 Trezor discontinued its newsletter until further notice, according to the company’s verified Twitter account.
While the Trezor crypto wallets seemed to be the attacker’s primary focus, it was not the only thing they targeted in the breach. Mailchimp says the breach was first detected on March 26, and confirmed that employee login credentials were stolen in a successful social engineering attack on a third-party contractor. The attackers accessed 319 Mailchimp accounts in total, but did not engage in phishing attacks with all of them and in some cases may not have done anything at all. Mailchimp said that 109 accounts had “audience data” (such as mailing lists) siphoned by the hackers. An undisclosed number of customers also had their API keys stolen, but Mailchimp says that all of these have since been disabled. Mailchimp also says that some other phishing attacks separate from Trezor were detected, but would not disclose how many or who was involved.
Mailchimp recommended that customers enable two-factor authentication, but did not require it.
James McQuiggan, security awareness advocate at KnowBe4, notes that this is another recent case of a “downstream” attack in which the breach of one service provider leads to a compromise of hundreds to thousands of clients: “Similar to the FireEye and Solarwinds breaches in 2020, cybercriminals leveraged the services of one organization to gain access to dozens, if not hundreds of others. In this case, we are seeing cybercriminals leveraging a third-party tool to convince victims of an authorized email and work to gain access to sensitive information. Organizations will continue to struggle with social engineering attacks. It becomes crucial for users to spot a phishing or vishing attack and feel empowered to report it to the appropriate departments for resolution. Cybercriminals will continue to target organizations that support hundreds and thousands of their customers to leverage that service to gain access for a more significant gain.”
Crypto wallets prime point of interest for attackers
Trezor published a more detailed breakdown of the phishing attacks on its blog on April 4, demonstrating how the attackers crafted a realistic-looking copy of the Trezor Suite app that users were taken to after clicking on the link included in the phishing attacks. Though Trezor deals in offline hardware crypto wallets, the goal was to get the end user to enter their “seed”; essentially a password of 12 to 24 words that allows remote access to the funds if the user should lose access to all their local copies of the wallet. The attackers were then able to immediately drain the account.
While the identities of other Mailchimp accounts that might have been compromised are being kept confidential, at least one other company has stepped forward to confirm it was attacked in this way. Decentraland, a Metaverse virtual world, said that its email list was stolen from Mailchimp and warned users to expect phishing attacks. Decentraland deals in NFTs tied to virtual property in its virtual worlds that users can visit in the Metaverse, and takes payments in Ethereum meaning that connected crypto wallets could be in danger.
Though access to Mailchimp allows an attacker to add a strong layer of legitimacy to their emails, the defense is no different than it is from other phishing attacks: awareness and secondary verification. The fraudulent Trezor Suite emails contained several warning signs, including being written in a somewhat unusual way and having a suspicious shortened link URL going to the alleged Trezor app. Customers who receive an email out of nowhere asking them to take any sort of action that could lead to account compromise should find a way to verify with the source before clicking on any links or responding with any information, especially when crypto wallets containing significant amounts of funds are on the line.
Mailchimp has some prior history of security issues. In 2016, the company was hacked and customer accounts were used to send out spam emails; this happened again in 2018, with Apple and Red Bull among the big names that were spoofed to send fraudulent emails to clients. Cybersecurity experts are anticipating an immediate uptick in phishing attacks as the mailing list information that was stolen from the company is either put to use by the attackers or is circulated on the dark web.
Jack Chapman, VP of Threat Intelligence for Egress, reflects on the necessary response to this attack: “We would urge all users of Mailchimp and Trezor to ensure that they’re using two-factor authentication to secure their accounts, and to be vigilant for follow-up phishing attacks, as we don’t know who may have access to their data. This attack, like the recent attacks on Globant, Samsung and Nvidia, should also stand as a warning to other organizations, particularly those who, like Mailchimp, process vast amounts of user data. It’s crucial that security teams take targeted steps to prevent attackers gaining entry via social engineering – they must go beyond security awareness training and tick-box exercises, implementing technology to act as a safeguard so that their people can carry out their roles without fear of falling for an attack.”