Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Compromised Email marketing companies sending spam

View all posts > 

Compromised Email marketing companies sending spam

Posted: 23 Sep 2011 03:32 PM | dsaunders | 2 comment(s)

Over the past few years, Websense Security Labs has been monitoring an increasing trend in unwanted email being sent from webmail accounts. Initially these accounts were on hosted freemail providers, but externally facing corporate webmail accounts have recently been targeted. The technique is the same in both attack scenarios: Account passwords are either phished or subjected to a brute force password attack. Once an account is compromised, the attacker can send email messages to contacts and other addresses using the compromised company's reputation to avoid detection by spam filters.


Recently we have detected a disturbing shift in this trend, with email marketing organization web accounts being compromised and used to send spam, which often contains malicious links.


Below is an example of spoofed email originally sent from an email marketing company based in Argentina. In this case, the account belongs to a large electrical retailer who has both online and store-front outlets.



We can validate that this email came from the email marketing company's infrastructure using the Sender Policy Framework (SPF) records published for its domain.


The account was used to send out spoofed email that appears to originate with an international clothing retailer. However, some of the links in the email direct the recipient to a similarly named domain ‘<companydomain>-billings.com’, which was registered on the day of the attack. This site hosts a zip file containing a malicious fake invoice named ‘<companyname>_Order_16YWBoG.exe’. At the time this email campaign started, this file had 0% coverage by the AV community.


The day after the first email messages were sent, the attacker compromised another account on the same Argentinian email marketing company website, this time registering a new domain ‘<companydomain>-support.com’. On the third day, the attacker switched to an email marketing company based in Australia. As before, they registered a new domain, but instead of including this domain ‘<companydomain>-invoice.com’ in the email, they compromised an Australian travel company's website and used it as a redirector. This travel company owned the Australian email marketing company account that was used to send the spoofed email. The additional step was probably taken to avoid basic outbound email filtering by the marketing company.


One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details.



As more companies use third-party email marketing organizations to handle their commercial email requirements, are they inadvertently risking their reputations and the repeat business of their loyal customers? We think they could be.


Most email marketing web accounts require basic password authentication. If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization's information to its competitors. So to the attacker these marketing companies represent soft and potentially lucrative targets.


So when your email marketing account is created, does it meet your company's password policy? Does your marketing department share this account and leave the password posted on the pin board? Remember: A simple password may be all that is stopping your organization from sending your entire customer base a malicious email.


Dave Barnes said on Wednesday, September 28, 2011 9:48 PM

Your comments about authentication are very accurate "...does it meet your company's password policy?".

We have paid the price for not ensuring that our client's can set their own password for our email marketing platform. Exactly what you have described above is what happened with us. Front door forced entry because the accounts had seriously poor u/name & passwords.

This is all rectified but I do NOT accept your comment "are they inadvertently risking their reputations and the repeat business of their loyal customers? "

We spend endless amounts of time to ensure "sender reputation" and acceptable SPAM controls are available for all of our customers. The issue when smaller clients, say less than 5,000,0000 emails per month have is IP and sender reputation.

It is far harder to manage when you are that small having an internal system and far, far more costly. You have an MTA to implement and other tools like Return Path to also implement, plus software, support etc.

Using a reputable external provider helps to maintain your sending reputation, has lower support costs as well as a lower upfront investment. Other than the horrid breach before mentioned, these days once of the reputable senders is the only way to go.

dsaunders said on Thursday, September 29, 2011 1:57 AM

Hi Dave,

Thanks for you comments.

When I used the phrase 'their reputations' I was thinking in terms of the good name of the business and not sender reputation. I agree with your point, there is clear value in outsourcing Email Marketing especially when it comes to managing sender reputation and deliverability.

Regards, David Saunders.

Leave a Comment


Email address: (required)