As I described yesterday in an article on the We Live Security blog, some MailChimp customers had their accounts hijacked, with the end result that their newsletter subscribers received a malicious email.
There’s no suggestion that MailChimp itself suffered a data breach – it appears much more likely that the businesses who had their mailing lists abused had had their passwords stolen or guessed.
And a possible explanation of how those MailChimp passwords might have fallen into the laps of cybercriminals came to my attention an hour or so after I wrote my initial article on the incident.
A security researcher, who chooses to remain anonymous, contacted me telling me that he had a database of over 2,000 MailChimp usernames and passwords. The data was not sourced via a breach at MailChimp itself, but was a small part of a much larger data haul collected by the Vawtrak password-stealing trojan.
Vawtrak is a notorious piece of malware – often spread via malicious Word documents – which can spy on its victims by logging keystrokes, taking screenshots and hijacking webcams.
As if that weren’t bad enough, it opens a remote access backdoor for hackers to steal victims’ files, grabs passwords, digital certificates, browser histories, and uses code injection to grab online banking credentials.
As the haul of MailChimp passwords reveals, Vawtrak doesn’t just steal online banking passwords – it’s also interested in your webmail, social networking accounts, and many other things besides… including the account your business might use to send out newsletters.
A MailChimp spokesperson confirmed that it had reset passwords on the accounts included in the data dump:
Our team has obtained the data from the security researcher. They’ve validated usernames with our user base, and have forced password resets on the affected users.
Personally I hope that MailChimp went further than that, encouraging the victims to enable two-factor authentication and to ensure that they’re running an up-to-date anti-virus product.
Furthermore, it’s important to recognise that if criminals have used malware to steal your MailChimp password, they have almost certainly also stolen your passwords for other online services as Vawtrak pilfers all locally-stored passwords and those entered into web forms.
In other words, changing your MailChimp password and enabling MailChimp’s 2FA isn’t enough. You need to consider the likelihood that many more of your online passwords are also at risk.
After all, the MailChimp credentials in that list only numbered just over 2000. There were over two million other lines of credentials related to other services in the file obtained by the researcher.
Is it possible that the compromised MailChimp accounts that sent out the malicious emails were hijacked as a consequence of malware like Vawtrak? It seems plausible to me.
But it’s also sadly true that there are other password dumps out there, and other malware, keen to steal your online passwords.
Would Little Snitch, on MacOS, have flagged this up?
I find it hard to believe that people are still idiotic enough to be opening Word documents and enabling macros within them to run. Look at the steps they have to go through in order for Vawtrak to be installed on their PC. 1) Open unexpected email from a possibly unknown source. 2) Open attached document in Word. 3) Enable macros when Word prompts them to.
Geez! It makes me despair of the modern world. It's pearl (advanced technology) before swine (the uneducated masses with too much power at their fingertips).
@Mark Jacobs,
The individuals who do this are not to blame IMO. For many, computing is complicated and difficult, and most of us don't get proper training. Most of us learn by doing, and that involves clicking lots of buttons on lots of screens without really knowing what it all means.
I wouldn't say it's that the individuals are idiotic; rather, I think they are unskilled and ignorant. Definitely a bummer, though. It would be nice if they knew better.