Email marketing provider Mailchimp confirmed yesterday that employees had fallen victim to a social engineering attack which allowed hackers to send phishing emails purporting to be from Bitcoin wallet company Trezor to its customers. The sophisticated attack reveals the combination of social engineering and supply chain attacks that hacking groups are using in their campaigns, experts told Tech Monitor.
Confirming the breach overnight, Mailchimp said some of its staff had fallen victim to a social engineering attack, that led to employee credentials being stolen. These were used to gain access to 100 Mailchimp mailing lists. The company’s CISO Siobhan Smith said Mailchimp’s security team had been aware of the breach for two weeks. As yet no hacking group has publicly claimed responsibility for the attack.
“On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration,” Mailchimp said. “The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
The hackers also gained access to an undisclosed number of application programming interface (API) keys, which allow Mailchimp customers to manage their accounts and perform marketing campaigns from their own websites. From here they were able to launch supply chain attacks.
Mailchimp breach leads to Trezor supply chain attack
One confirmed victim is Trezor, which makes Bitcoin wallets. A phishing email sent out to the victims claimed the crypto storage company had experienced a “security incident involving data belonging to 106,856 of [its] customers,” and that the security of their wallets had been compromised. Those who followed the prompts downloaded what they were told was the “latest version of the Trezor Suite” to set up a new PIN.
The app the victims were directed to is a duplicate of the real Trezor application that prompts the customers to connect their wallet and enter their recovery seed, a series of words generated by the crypto wallet that gives emergency access to their digital contents, to the victim and then to the threat actors.
This was probably the focal point of the attack, explains Hugh Raynor, senior cybersecurity consultant at SureCloud. “If your hardware wallet breaks or you lose it you’ve got this recovery seed, which will give you complete access to the account, the wallet, the passwords, all that data.”
Trezor said the attack was “exceptional in its sophistication and was clearly planned to a high level of detail.” In a blog post it said, “the phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app.” Trezor has since had the phishing domains taken offline and disabled the affected API keys, but it is likely many customers have had personal information stolen by the hackers.
Launching a supply chain attack like this was probably the goal for the threat actors behind the attack, says Raynor. “Obviously, this is highly targeted,” he says. “They’ve planned from the start exactly what all the phases are going to be. They know they need to socially engineer Mailchimp employees and customer services, and from there, they could look for the API keys for crypto companies.”
The growing trend of social engineering attacks
The Mailchimp attack, and subsequent supply chain breach, is indicative of a current trend towards social engineering, explains David Mahdi, chief strategy officer and CISO advisor at cybersecurity company Sectigo. “Social engineering is incredibly important to many current hacking campaigns, due to the fact that in reality, they all come down to one thing – data access and identity security,” he says.
Attackers “are now deploying a growing variety of tactics, such as supply chain attacks and social engineering, to target organisational issues inherent with hybrid work, human error, and shadow IT,” Mahdi says.
The improved security deployed by many businesses means social engineering attacks are more appealing to criminal gangs, argues Raynor. “Attackers are moving into a reliance on people because in recent years technology, security detection and monitoring controls have all gotten really good,” he says. “But people are still the same as we were 2000 years ago. Attackers have had to transition to exploiting the person.”