Over the past few years, Websense Security Labs has been monitoring an increasing trend in unwanted email being sent from webmail accounts. Initially these accounts were on hosted freemail providers, but externally facing corporate webmail accounts have recently been targeted. The technique is the same in both attack scenarios: Account passwords are either phished or subjected to a brute force password attack. Once an account is compromised, the attacker can send email messages to contacts and other addresses using the compromised company's reputation to avoid detection by spam filters.
Recently we have detected a disturbing shift in this trend, with email marketing organization web accounts being compromised and used to send spam, which often contains malicious links.
Below is an example of spoofed email originally sent from an email marketing company based in Argentina. In this case, the account belongs to a large electrical retailer who has both online and store-front outlets.
We can validate that this email came from the email marketing company's infrastructure using the Sender Policy Framework (SPF) records published for its domain.
The account was used to send out spoofed email that appears to originate with an international clothing retailer. However, some of the links in the email direct the recipient to a similarly named domain ‘<companydomain>-billings.com’, which was registered on the day of the attack. This site hosts a zip file containing a malicious fake invoice named ‘<companyname>_Order_16YWBoG.exe’. At the time this email campaign started, this file had 0% coverage by the AV community.
The day after the first email messages were sent, the attacker compromised another account on the same Argentinian email marketing company website, this time registering a new domain ‘<companydomain>-support.com’. On the third day, the attacker switched to an email marketing company based in Australia. As before, they registered a new domain, but instead of including this domain ‘<companydomain>-invoice.com’ in the email, they compromised an Australian travel company's website and used it as a redirector. This travel company owned the Australian email marketing company account that was used to send the spoofed email. The additional step was probably taken to avoid basic outbound email filtering by the marketing company.
One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details.
As more companies use third-party email marketing organizations to handle their commercial email requirements, are they inadvertently risking their reputations and the repeat business of their loyal customers? We think they could be.
Most email marketing web accounts require basic password authentication. If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization's information to its competitors. So to the attacker these marketing companies represent soft and potentially lucrative targets.
So when your email marketing account is created, does it meet your company's password policy? Does your marketing department share this account and leave the password posted on the pin board? Remember: A simple password may be all that is stopping your organization from sending your entire customer base a malicious email.