View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 5, 2022updated 26 Apr 2022 5:11pm

Mailchimp hacked to launch ‘exceptional’ supply chain attack

Sophisticated hack on Mailchimp and crypto wallet Trezor combined social engineering with a supply chain attack.

By Claudia Glover

Email marketing provider Mailchimp confirmed yesterday that employees had fallen victim to a social engineering attack which allowed hackers to send phishing emails purporting to be from Bitcoin wallet company Trezor to its customers. The sophisticated attack reveals the combination of social engineering and supply chain attacks that hacking groups are using in their campaigns, experts told Tech Monitor.

Mailchimp staff fell victim to a social engineering attack. (Photo by Tiffany Hagler-Geard/Bloomberg via Getty Images)

Confirming the breach overnight, Mailchimp said some of its staff had fallen victim to a social engineering attack, that led to employee credentials being stolen. These were used to gain access to 100 Mailchimp mailing lists. The company’s CISO Siobhan Smith said Mailchimp’s security team had been aware of the breach for two weeks. As yet no hacking group has publicly claimed responsibility for the attack.

“On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration,” Mailchimp said. “The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”

The hackers also gained access to an undisclosed number of application programming interface (API) keys, which allow Mailchimp customers to manage their accounts and perform marketing campaigns from their own websites. From here they were able to launch supply chain attacks.

Mailchimp breach leads to Trezor supply chain attack

One confirmed victim is Trezor, which makes Bitcoin wallets. A phishing email sent out to the victims claimed the crypto storage company had experienced a “security incident involving data belonging to 106,856 of [its] customers,” and that the security of their wallets had been compromised. Those who followed the prompts downloaded what they were told was the “latest version of the Trezor Suite” to set up a new PIN.

The app the victims were directed to is a duplicate of the real Trezor application that prompts the customers to connect their wallet and enter their recovery seed, a series of words generated by the crypto wallet that gives emergency access to their digital contents, to the victim and then to the threat actors.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

This was probably the focal point of the attack, explains Hugh Raynor, senior cybersecurity consultant at SureCloud. “If your hardware wallet breaks or you lose it you’ve got this recovery seed, which will give you complete access to the account, the wallet, the passwords, all that data.”

Trezor said the attack was “exceptional in its sophistication and was clearly planned to a high level of detail.” In a blog post it said, “the phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app.” Trezor has since had the phishing domains taken offline and disabled the affected API keys, but it is likely many customers have had personal information stolen by the hackers.

Launching a supply chain attack like this was probably the goal for the threat actors behind the attack, says Raynor. “Obviously, this is highly targeted,” he says. “They’ve planned from the start exactly what all the phases are going to be. They know they need to socially engineer Mailchimp employees and customer services, and from there, they could look for the API keys for crypto companies.”

The growing trend of social engineering attacks

The Mailchimp attack, and subsequent supply chain breach, is indicative of a current trend towards social engineering, explains David Mahdi, chief strategy officer and CISO advisor at cybersecurity company Sectigo. “Social engineering is incredibly important to many current hacking campaigns, due to the fact that in reality, they all come down to one thing – data access and identity security,” he says.

Attackers “are now deploying a growing variety of tactics, such as supply chain attacks and social engineering, to target organisational issues inherent with hybrid work, human error, and shadow IT,” Mahdi says.

The improved security deployed by many businesses means social engineering attacks are more appealing to criminal gangs, argues Raynor. “Attackers are moving into a reliance on people because in recent years technology, security detection and monitoring controls have all gotten really good,” he says. “But people are still the same as we were 2000 years ago. Attackers have had to transition to exploiting the person.”

Read more: Microsoft confirms Lapsus$ breach and reveals gang’s tactics

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.