Email marketing platform Mailchimp, owned by Intuit Inc. since last year, has been hacked as part of a scheme to target Trezor cryptocurrency wallet service users.
Bleeping Computer reported today that the hack started with employees of Mailchimp falling for a social engineering attack that led to the theft of their credentials. “On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration,” a spokesperson for Mailchimp said. “The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
A company being hacked is hardly rare in 2022, but this specific attack takes an interesting turn in that the hacker and hackers behind the attack did so seemingly to target Trezor users. Founded in 2013, Trezor offers a hardware cryptocurrency wallet that allows users to store private keys with a device.
Trezor described that attack on Twitter as a Mailchimp “insider” targeting cryptocurrency companies. The phishing attacks included the use of the fake domain names, trezor.us and xn--trzor-o51b.com, both of which have now been taken down.
Bizarrely, those behind that attack cloaked their campaign as the result of Trezor being hacked. Users were targeted with an email that claimed that Trezor had experienced a security incident on April 2. The email stated that “at this moment, it’s technically impossible to accurately assess the scope of this data breach” and then added, “we must assume that your cryptocurrency assets are at risk of being stolen.”
Following further text, users were prompted to download the latest version of Trezor Suite, complete with a link. The link and what users subsequently downloaded was malware that stole their cryptocurrency.
It’s currently believed that more than 100 Trezor users fell for the fake email. The amount of cryptocurrency stolen from those who fell for the phishing scheme is unknown.
Other companies are likely affected by the Mailchimp breach, but it’s not clear if those behind the attack are targeting others. Virtual social world Decentraland warned users that their newsletter subscribers’ email addresses were leaked as part of the Mailchimp data breach.
Attention: Our newsletter subscribers’ email addresses were leaked in a Mailchimp data breach.
Please stay alert as the malicious actors may use your email address to try and message you impersonating the Decentraland Foundation.
Learn more details:https://t.co/UujMMZ1HXt
— Decentraland (@decentraland) April 4, 2022
“Similar to the FireEye and SolarWinds breaches in 2020, cybercriminals leveraged the services of one organization to gain access to dozens, if not hundreds of others,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “In this case, we are seeing cybercriminals leveraging a third-party tool to convince victims of an authorized email and work to gain access to sensitive information.”
McQuiggan noted that organizations will continue to struggle with social engineering attacks. “It becomes crucial for users to spot a phishing or vishing attack and feel empowered to report it to the appropriate departments for resolution,” McQuiggan said. “Cybercriminals will continue to target organizations that support hundreds and thousands of their customers to leverage that service to gain access for a more significant gain.”