Troy Hunt A Sneaky Phish Just Grabbed my Mailchimp Mailing List

pSponsored by ppYou know when youre really jet lagged and really tired and the cogs in your head are just moving that little bit too slow Thats me right now and the penny has just dropped that a Mailchimp phish has grabbed my credentials logged into my account and exported the mailing list for this blog Im deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP then Ill update the post with more details But as a quick summary I woke up in London this morning to the followingppI went to the link which is on mailchimpssocom and entered my credentials which crucially did not autocomplete from 1Password I then entered the OTP and the page hung Moments later the penny dropped and I logged onto the official website which Mailchimp confirmed via a notification email which showed my London IP addressppI immediately changed my password but not before I got an alert about my mailing list being exported from an IP address in New YorkppAnd moments after that the login alert from the same IPppThis was obviously highly automated and designed to immediately export the list before the victim could take preventative measuresppThere are approximately 16k records in that export containing info Mailchimp automatically collects and they appear as followsppEvery active subscriber on my list will shortly receive an email notification by virtue of this blog post going out Unfortunately the export also includes people whove unsubscribed why does Mailchimp keep these so Ill need to work out how to handle those ones separately Ive been in touch with Mailchimp but dont have a reply yet Ill update this post with more info when I have itppIm enormously frustrated with myself for having fallen for this and I apologise to anyone on that list Obviously watch out for spam or further phishes and check back here or via the social channels in the nav bar above for more Ironically Im in London visiting government partners and I spent a couple of hours with the National Cyber Security Centre yesterday talking about how we can better promote passkeys in part due to their phishingresistant nature ppMore soon Ive hit the publish button on this 34 mins after the time stamp in that first email aboveppEvery Monday morning when Im at home I head into a radio studio and do a segment on scams Its consumerfacing so were talking to the normies and whenever someone calls in and talks about being caught in the scam the sentiment is the same I feel so stupid That friends is me right now Beyond acknowledging my own foolishness let me proceed with some more thoughtsppFirstly Ive received a gazillion similar phishes before that Ive identified early so what was different about this one Tiredness was a major factor I wasnt alert enough and I didnt properly think through what I was doing The attacker had no way of knowing that I dont have any reason to suspect this was targeted specifically at me but we all have moments of weakness and if the phish times just perfectly with that well here we areppSecondly reading it again now thats a very wellcrafted phish It socially engineered me into believing I wouldnt be able to send out my newsletter so it triggered fear but it wasnt all bells and whistles about something terrible happening if I didnt take immediate action It created just the right amount of urgency without being over the topppThirdly the thing that should have saved my bacon was the credentials not autofilling from 1Password so why didnt I stop there Because thats not unusual There are so many services where youve registered on one domain and that address is stored in 1Password then you legitimately log on to a different domain For example heres my Qantas entryppAnd the final thought for now is more a frustration that Mailchimp didnt automatically delete the data of people who unsubscribed There are 7535 email addresses on that list which is nearly half of all addresses in that export I need to go through the account settings and see if this was simply a setting I hadnt toggled or something similar but the inclusion of those addresses was obviously completely unnecessary I also dont know why IP addresses were captured or how the lat and long is calculated but given Ive never seen a prompt for access to the GPS I imagine its probably derived from the IPppIll park this here and do a deeper technical dive later today that addresses some of the issues Ive raised aboveppIll keep writing this bit by bit you may see it appear partly finished while reading so give the page a refresh later on starting with the API key that was createdppThis has now been deleted so along with rolling the password there should no longer be any persistent access to the accountppUnfortunately Mailchimp doesnt offer phishingresistant 2FAppBy no means would I encourage people not to enable 2FA via OTP but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as its entered On that note another ridiculous coincidence is that in the same minute that I fell for this attack Id taken a screen cap of the WhatsApp message below and shown Charlotte See this reinforces what we were talking about with the NCSC yesterday about the importance of passkeysppAnother interesting angle to this is the address the phish was sent toppThe rest of that address is probably pretty predictable and I do publish my full normal address on the contact page of this blog so its not like I conceal it from the public but I find it interesting that the phish came to an address only used for Mailchimp Which leaves two possibilitiesppApplying some Occams razor its the latter I find the former highly unlikely and Id be very interested to hear from anyone else who uses Mailchimp and received one of these phishesppStill on email addresses I originally read the phish on my iThing and Outlook rendered it as you see in the image above At this point I was already on the hook as I intended to login and restore my account so the way the address then rendered on the PC didnt really stand out to me when I switched devicesppThats so damn obvious The observation here is that by not rendering the senders address Outlook on iOS hid the phish But having said that by no means can you rely on the address as a solid indicator of authenticity but in this case it would have helpedppCurious as to why unsubscribed users were in the corpus of exported data I went searching for answers At no point does Mailchimps page on unsubscribing mention anything about not deleting the users data when they opt out of receiving future emails Keeping in mind that this is AIgenerated Google provided the following overviewppThat Purpose of Keeping Unsubscribes section feels particularly icky and again this is the AI and not Mailchimps words but it seems to be on point I can go through and delete unsubscribed addresses and Ill do that shortly as the last thing Im going to do now is rush into something else but then it looks like that has to be a regular process This is a massive blindspot on Mailchimps behalf IMHO and Im going to provide that feedback to them directly just remembered I do know some folks thereppI just went to go and check on the phishing site with the expectation of submitting it to Google Safe Browsing but it looks like that will no longer be necessarypp2 hours and 15 minutes after it snared my creds Cloudflare has killed the site I did see a Cloudflare antiautomation widget on the phishing page when it first loaded and later wondered if that was fake or they were genuinely fronting the page but I guess that question is now answered I know therell be calls of why didnt Cloudflare block this when it was first set up but I maintain as I have before in their defence that its enormously hard to do that based on domain or page structure alone without creating a heap of false positivesppOn the question of the lat and long in the data I just grabbed my own records and found an IP address belonging to my cellular telco I had two records I use them to test both the daily and weekly posts both with the same IP address and created within a minute of each other One had a geolocation in Brisbane and the other in far north Queensland about 1700km away In other words the coords do not pinpoint the location of the subscriber but the record does contain australiabrisbaneauqld so theres some rough geolocation data in thereppWhen I have conversations with breached companies my messaging is crystal clear be transparent and expeditious in your reporting of the incident and prioritise communicating with your customers Me doing anything less than that would be hypocritical including how I then handle the data from the breach namely adding it to HIBP As such Ive now loaded the breach and notifications are going out to 66k impacted individual subscribers and another 24k monitoring domains with impacted email addressesppLooking for silver linings in the incident Im sure Ill refer this blog post to organisations I disclose future breaches to Ill point out in advance that even though the data is just email addresses and the risk to individuals doesnt present a likelihood of serious harm or risk their rights and freedoms read that blog post for more its simply the right thing to do In short for those who read this in future do not just as I say but as I doppI emailed a couple of contacts at Mailchimp earlier today and put two questions to themppA number of people have commented on social media about the second point possibly being to ensure that someone who unsubscribes cant then later be resubscribed Im not sure that argument makes a lot of sense but Id like to see people at least being given the choice Im going to wait on their feedback before deciding if I should delete all the unsubscribed emails myself Im not even sure if thats possible via the UI or requires scripting against the APIppThe irony of the timing with this happening just as Ive been having passkey discussions with the NCSC is something Im going to treat as an opportunity Right before this incident Id already decided to write a blog post for the normies about passkey and now I have the perfect example of their value Id also discussed with the NCSC about creating a passkey equivalent of my whynohttpscom project which highlighted the largest services not implementing HTTPS by default As such Ive just registered whynopasskeyscom and its singular equivalent and will start thinking more about how to build that out so we can collectively put some pressure on the services that dont support unphishable second factors I actually attempted to register that domain whilst out walking today only to be met with the following courtesy of DNSimpleppUsing a U2F key on really important stuff like my domain registrar highlights the value of this form of auth Todays phish could not have happened against this account nor the other critical ones using a phishing resistant second factor and we need to collectively push orgs in this directionppSincere apologies to anyone impacted by this but on balance I think this will do more good than harm and I encourage everyone to share this experience broadlyppUpdate 1 Ill keep adding more thoughts here via updates especially if theres good feedback or questions from the community One thing Id intended to add earlier is that the more I ponder this the more likely I think it is that my unique Mailchimp address was obtained from somewhere as opposed to guessed in any targeted fashion A possible explanation is the security incident they had in 2022 which largely targeted cryptorelated lists but I imagine would likely have provided access to the email addresses of many more customers too Ill put that to them when I get a response to my earlier emailppUpdate 2 I now have an open case with Mailchimp and theyve advised that login and sending for the account have been disabled to help prevent unauthorized use of the account during our investigation I suspect this explains why some people are unable to now sign up to the newsletter Ill try and get that reinstated ASAP Id rolled creds immediately and lets face it the horse has already boltedppPondering this even further I wonder if Mailchimp has any antiautomation controls on login The credentials I entered into the phishing site were obviously automatically replayed to the legitimate site which suggests something there is lackingppI also realised another factor that preconditioned me to enter credentials into what I thought was Mailchimp is their very shortlived authentication sessions Every time I go back to the site I need to reauthenticate and whilst the blame still clearly lies with me Im used to logging back in on every visit Keeping a trusted device authd for a longer period would likely have raised a flag on my return to the site if I wasnt still logged inppUpdate 3 Mailchimp has now restored access to my account and the newsletter subscription service is working again Heres what theyve saidppTheyve also acknowledged several outstanding questions I have such as whether passkeys are on the roadmap and have passed them along to the relevant party Ill update this post once I have answersppTheres been a lot of discussion around Mailchimp are violating my local privacy laws by not deleting emails when I unsubscribe and thats one of the outstanding questions Ive sent them But on that Ive had several people contact me and point out this is not the case as the address needs to be retained in order to ensure an optedout individual isnt later emailed if their address is imported from another source Read this explainer from the UKs ICO on suppression lists in particular this parappI suspect this explains Mailchimps position but I suggest that should be clearer during the unsubscribe process I just went through and tested it and at no time is it clear the email address will be retained for the purpose of supressionppMy suggestion would be to follow our approach for Have I Been Pwned where we give people three choices and allow them to choose how theyd like their data to be handledppAt present Mailchimp is effectively implementing the first option we provide and the folks that are upset were expecting the last option Hopefully theyll consider a more selfempowering approach to how peoples data is handled Ill update this blog post once I have their responseppUpdate 4 Someone has pointed out that the sending email address in the phish actually belongs to a Belgian cleaning company called Groupf Its not unusual for addresses like this to be used to send malicious mail as they usually dont have a negative reputation and more easily pass through spam filters It also indicates a possible compromise on their end so Ive now reached to them to report the incidentppUpdate 5 Ive been contacted by someone that runs a wellknown website that received the same phishing email as me They made the following observation regarding the address that received the phishppThis aligns with my earlier observation that a customer list may have been obtained from Mailchimp and used to send the phishing emails They went on to say they were seeing multiple subsequent phishes targeting their Mailchimp accountppThat a customer list may have been compromised was one of the questions I put to Mailchimp and am still awaiting an answer on That was about 36 hours ago now so Ive just given them a little nudgeppUpdate 6 There have been a lot of suggestions that Mailchimp should be storing the hashes of unsubscribed emails rather than the full addresses in the clear I understand the sentiment and it does offer some protection but it by no means ticks the we no longer have the address box This is merely pseudoanonymisation and the hashed address can be resolved back to the clear if you have a list of plain text candidates to hash and compare them to Theres a good explainer of this in the answer to this question on Security Stack Exchange about hashing email addresses for GDPR compliance IMHO my example of how we handle this in HIBP is the gold standard that Mailchimp should be implementingppAnd theres also another problem short of cracking the hashed addresses you can never export a list of unsubscribed email addresses for example if you wanted to change mail campaign provider The only way that would work is if the hashing algorithm is the same in the destination service or you build some other level of abstraction at any other future point where you need to compare plain text values to the hashed impression list Its messy very messyppUpdate 7 Validin has written a fantastic piece about Pulling the Threads of the Phish of Troy Hunt that takes a deep dive into the relationship between the domain the phish was hosted on and various other campaigns theyve observed ppScattered Spider certainly has previous form and this was a very wellorchestrated phish Four days on as I write this its hard not to be a bit impressed about how slick the whole thing wasppHi Im Troy Hunt I write this blog create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals ppHi Im Troy Hunt I write this blog run Have I Been Pwned and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals ppI often run private workshops around these heres upcoming events Ill be atppDont have Pluralsight already How about a 10 day free trial Thatll get you access to thousands of courses amongst which are dozens of my own includingpp
Send new blog posts
ppHey just quickly confirm youre not a robotpp SubmittingppGot it Check your email click the confirmation link I just sent you and were doneppThis work is licensed under a Creative Commons Attribution 40 International License In other words share generously but provide attributionppOpinions expressed here are my own and may not reflect those of others Unless Im quoting someone theyre just my own viewsppThis site runs entirely on Ghost and is made possible thanks to their kind support Read more about why I chose to use Ghostp