Cryptocurrency companies targeted in Mailchimp breach

Cryptocurrency companies were targeted by a phishing campaign after threat actors breached email marketing platform Mailchimp.

In a tweet Sunday, Bitcoin hardware wallet maker Trezor said it was "investigating a potential data breach of an opt-in newsletter hosted on Mailchimp." It warned users to be aware of a phishing campaign that used typosquatting, a tactic where actors alter a domain just enough to trick the recipient into thinking it's authentic.

While Mailchimp had not publicly disclosed the breach at that time, it confirmed to Trezor that its service was "compromised by an insider targeting crypto companies."

Mailchimp CISO Siobhan Smyth verified the breach in a statement to SearchSecurity on Monday. She said the security team first became aware of the Mailchimp breach on March 26 after a malicious actor accessed one of the "internal tools used by customer-facing teams for customer support and account administration." Subsequently, the attacker deployed a social engineering campaign to gain access to employee credentials. Mailchimp lists more than 1,000 employees on LinkedIn.

While Mailchimp "acted swiftly" to limit credential compromise, Smyth said an investigation conducted by outside forensic counsel revealed that "about 300 Mailchimp accounts were viewed, and audience data was exported from 102 of those accounts." And those accounts shared one commonality.

"Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance, all of whom have been notified," Smyth said in an email to SearchSecurity.

Trezor appeared to be the only customer publicly disclosing information, which includes a blog post Monday titled "Ongoing phishing attacks on Trezor users." Though the phishing sites have been disabled, Trezor said it has not determined how many email addresses were affected.

It also revealed the phishing message, which alerted customers that a breach had occurred and urged them to download a "look-alike" Trezor Suite app with instructions on setting up new PINs for their wallets.

Trezor highlighted the "very realistic functionality" of the cloned app. "This attack is exceptional in its sophistication and was clearly planned to a high level of detail," the blog said.

However, Trezor also cited how the attack's success requires users to authorize a download of the cloned app. "The only reason to worry about your funds is if you entered your seed into the malicious app," the blog said.

It appears that the phishing campaigns against Mailchimp customers are ongoing.

"As a result of the security incident, we've received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts," Smyth said in the statement. "When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access."

In addition to the phishing attacks targeting Mailchimp cryptocurrency customers, Smyth said the investigation "determined that some accounts' API keys posed a potential vulnerability." It is unclear what that vulnerability is or the potential consequences.

"Out of an abundance of caution, we disabled those API keys, implemented protections so they can't be re-enabled, and notified affected users," Smyth said.

Mailchimp recommended two-factor authentication to secure accounts. When it comes to phishing attacks, Trezor advised users to never enter their seeds anywhere and always check URLs.

The Mailchimp breach is the latest cryptocurrency-related cyber attack in a string of recent incidents, which have grown more common and resulted in some hefty payouts for threat actors. The use of typosquatting has been a common factor in such attacks: Brendan "Casey" McGee, assistant to the special agent in charge of the U.S. Secret Service, addressed its increasing use during the SecureWorld Boston conference last month.