A malicious round of social engineering attacks against Mailchimp and at least one of its customers, DigitalOcean, highlights a persistent trend in the information security space of threat actors targeting vulnerable organizations by abusing the digital identity supply chain.
DigitalOcean migrated away from Mailchimp after the email service provider's internal tooling was compromised by an attacker and unauthorized hackers reset the passwords of a small number of DigitalOcean customers.
Unauthorized actors used sophisticated phishing and social engineering techniques to target Mailchimp’s crypto-related users, a spokesperson said via email. Based on its investigation to date Mailchimp has identified 214 accounts affected by the incident, the spokesperson added.
“In an abundance of caution, when we detect suspicious activity in our users’ accounts, we take proactive steps to temporarily suspend all account access,” the spokesperson said.
Mailchimp notified all owners of impacted accounts and said it is working diligently to reinstate accounts.
But critics are pushing back on Mailchimp's response. Numerous crypto firms claim they were taken offline without advance warning and said the company has been slow to respond to their queries.
The attacks highlight two significant trends in the information security space in 2022: an increase in identity attacks and an increase in digital supply chain attacks, according to Peter Firstbrook, research VP at Gartner.
“Identity misuse is increasing dramatically to infiltrate systems,” Firstbrook said. “It is far easier to steal identities, via phishing and other social engineering techniques, than it is to find and exploit software vulnerabilities.”
Attackers often use email to establish new accounts, confirm the identities of potential victims and potentially change their passwords.
“Controlling email traffic enables attackers to reset account information without the victim’s notice,” Firstbrook said.
Digital supply chain attacks are increasing because of the leverage gained by attackers.
“Successfully penetrating a supply chain partner gives attackers access to multiple victims at once,” Firstbrook said. “Additionally, it is often beyond the victim’s control to detect or stop the attack because the necessary telemetry [is] only available to the digital partner.”
Firstbrook points to recent phishing attacks against Microsoft using adversary-in-the-middle techniques and recent business email compromise attacks targeting Workday.
During the Klaviyo attack, an employee’s login credentials were compromised and a threat actor was able to gain access to some of the company’s internal support tools, according to an Aug. 3 blog post from CEO Andrew Bialecki.
The threat actor used internal support tools to search for mostly crypto-related accounts and viewed list and segment information on 44 Klaviyo accounts, according to the post. The threat actor downloaded list or segment information for 38 of these accounts. Two of the company’s internal lists for product and marketing updates were also downloaded.
The company is concerned about potential phishing or smishing attacks and warned customers about potential requests for password resets, payment information or emails from unusual domains.
Cryptocurrencies are targeted by a range of financially motivated threat actors because of the potential profitability and pose little risk to cyber criminals, according to Fred Plan, principal analyst at Mandiant.
“Since cryptocurrency services and platforms are less likely to have a well-developed security posture than more established financial institutions, they are also probably easier to target,” Plan said via email.
The impact of the Mailchimp breach on DigitalOcean highlights the importance of implementing security best practices, Plan said, including two-factor authentication and zero trust. Using these practices can help reduce the impact of security incidents when they occur.
