ESP being phished is a Black Friday cataclysm

There is currently a phishing attack against a major ESP. The mail came through what I presume was a compromised account hosted at one of the providers. It’s just as possible this was a domain set up for the sole purpose of phishing, though.

Icon of an eye looking around

The underlying attack is pretty good. They took the ESP compliance notification email and changed a couple of the links to point to their phishing page (which is down now). I’m pretty sure a message “your account has been limited due to poor reputation” caused a whole lot of folks to freak out and click the links.

If it were me coordinating the attack, I’d be quietly logging into the compromised accounts over the next 10 days and creating new API keys. I’d set up my spam cannons to use those API keys and then wait for Black Friday. A single button and I can send out … millions and millions of authenticated emails through hundreds of accounts with solid reputations.

Steve and I were talking about this last night and were discussing tracking logins, 2FA and other ways the ESP could mitigate the problem and protect their users. It wasn’t until I woke up this morning that I remembered that the ESP has a full API. Yeah, that makes it even harder. Sure, the spammers need to log in and create new API keys. But individual logins that simply create API keys are harder to detect than a log in that doesn’t do anything but create a key.

This is not something the ESP can easily mitigate in 10 days. They will have had to have infrastructure in place to track creation of API keys and confirm these keys are being used by their customer. I know this ESP and I am hopeful that their security folks have thought about this attack vector.

If you are a Sendgrid customer, it may be worthwhile to revisit your infrastructure today. Identify what needs API keys and regenerate them. Then, nuke all the keys in your account. Change all your passwords. Lock down your account.

I feel for both the ESP and their customers. This was a carefully planned attack. I have zero doubt this is in preparation for sending out a massive spam campaign from the ESP at the height of the holiday email season. Don’t assume your account is safe. Make sure it is.

Otherwise, you may find more than the normal level of delivery problems for your holiday mail.

Related Posts

Send Actual SMTP

It’s rare I find mail that violates the SMTP spec (rfc5321 and rfc5322). I’ve even considered removing “send mail from a correctly configured mail server” from my standard Best Practices litany.

Read More

What’s a suspicious domain?

The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters.

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More