Cybercriminals Exploit MailChimp to Disseminate Malware

In the relentless war against malware, no platform seems to be immune. Even our trusted email newsletter service, MailChimp, is susceptible. Recently, hackers exploited the popular broadcast email service to send out messages containing malware-infested links to unsuspecting subscribers of various services that use MailChimp, according to a report by [Motherboard](http://motherboard.vice.com/read/hackers-are-using-mailchimp-to-spread-malware).

A message from the mouths of these marauders typically reads something like, “Here’s your invoice! We appreciate your prompt payment.” An Australian security researcher, who is also the owner of the Have I Been Pwned? platform, forwarded an example of these insidious emails to Motherboard. “This morning our MailChimp subscriber database was hacked and a fake invoice (Invoice 00317) [sic] was sent to our list,” he claimed, substantiating these allegations with screenshots on Twitter.

All it takes is one wrong click. Subscribers are led to believe they must view an invoice by clicking on an embedded “View Invoice” button. This action, unfortunately, initiates a download of a .zip file teeming with malicious content. An Australian company supported these findings by confirming on Twitter that its MailChimp subscriber database had indeed been hacked, and a spurious invoice (Invoice 00317) had been dispatched to its list of subscribers. The danger lies in the potential for subscribers to unwittingly provide hackers access to their devices by clicking on the fraudulent link.

In response to the breach, the targeted company implored its subscribers to ignore such emails. “Please disregard and delete this email. You have not been charged,” they stated in an announcement. Camilla Jansen, managing editor of Business News Australia, informed Motherboard via email, “We’re waiting to find out more.”

MailChimp, in the meantime, has issued a statement to Motherboard asserting, “Early this morning MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.”

While MailChimp encourages users to [set up two-factor authentication](http://kb.mailchimp.com/accounts/management/best-practices-for-account-security), it’s critical for recipients to remain vigilant when clicking on emails. If you detect inconsistencies or changes in emails from a company you subscribe to, it would be wise to confirm the authenticity of the email prior to taking further action. Additionally, frequently updating passwords and avoiding duplicative passwords across multiple platforms can help guard against these malicious attacks. In fact, password reuse is suspected to be the root of this particular breach.

As always, exercise discretion when clicking on email links. By using a bit of extra care, you can do your part to keep your data safe and confound those pesky cyber miscreants.