I’m hearing more rumors of ESPs seeing customer accounts being compromised, similar to what happened with The Children’s Place.
Experian CheetahMail identified an isolated incident in which someone used a valid client user ID and password to gain access to the client’s email account and transmit an unauthorized and unlawful email. To recipients, the email appeared as a solicitation from an unrelated sender (disguised as Adobe) and directed viewers to an illicit website requesting credit card information. The impact was limited to a single, targeted outbound email.
I have a few suggestions for companies to be able to identify these types of attacks before mail goes out.
1) Set up monitoring to look for large number of uploads in a particular account. Tens of millions of new addresses, even spread over multiple uploads, should raise red flags and trigger manual review of an account.
2) Scan outgoing messages for links mentioning or advertising Adobe (all the spams so far seem to be linking to adobe phish sites).
3) Monitor for unusual send activity. A customer that sends small amounts of mail regularly, but all of a sudden spikes to 10 or 100 times more mail may be compromised.
4) Monitor FBLs for spikes in activity.
5) Monitor bounces for spikes in activity.
Much of this monitoring should trivially slot into the monitoring that you’re already doing as an ESP. You may want to add alerts to go out to relevant people inside your company.