MailChimp’s Freddie the chimpanzee might be infected with malware

The smiling face of the Freddie the chimpanzee dropping in newsletters in your mailbox got bigger when it rose to popularity. But hackers have sneaked in Freddie’s mailbag and have made their way into the customers’ inbox as malicious emails.

MailChimp is an email marketing solution that helps businesses grow by helping them manage their newsletters and subscribers. Businesses outsource their marketing execution to get an amplified reach to customers through MailChimp features that allow them to send automated messages to target-specific customers.

However, MailChimp’s newsletters do not come for free. Subscribers of MailChimp’s emails obviously have to pay a certain amount of fees. This is the exact spot that hackers nailed at – disguising as Freddie and making profit! Malicious mails are being sent on behalf of MailChimp through whatever distribution pipes they can get hold on, facilitating malware flow like fluid.

Hackers are banking on this premium-based service to make quick profit by sending fake emails with fake invoice: Here’s your invoice! We appreciate your prompt payment. This email claimed to be affiliated with the accounting software Quickbooks. The email apparently is said to have been sent by an administrator at the news website Business News Australia. The malware is actually zipped up in a .zip file, according to Virus Total, a malware analysis website.

Make sure that the cursor of your computer does not go anywhere near the “View Invoice” button, let alone clicking on it!

Graham Cluley’s guess does not point to a crack in the MailChimp’s trunk that stores all the data, rather to data breach of the huge reservoir of mailing lists. His hunch is on the probability of stolen passwords. He gathered from his email conversation with a security researcher that a certain number of MailChimp usernames and passwords have been hijacked by a password-stealing trojan called Vawtrak.

Vawtrak is a notorious piece of malware – often spread via malicious Word documents – which can spy on its victims by logging keystrokes, taking screenshots and hijacking webcams. For those not familiar with Vawtrak, the danger does not end here. It clearly has multipurpose octopus tentacles – it opens a remote access backdoor for hackers to steal victim’s files, grabs passwords, digital certificate, browser histories, and uses code injection to grab online banking credentials.

However, the MailChimp breach incident clearly revealed that breach-savvy Vawtrak can also seep through social networking accounts and send newsletters on your businesses’ behalf.

The warning alarm was sounded when the hackers came in dressed as Freddie, which has now been detected and subscribers are being prompted through tweets:

This morning our MailChimp subscriber database was hacked and a fake invoice (Invoice 00317) was sent to our list.

IF YOU RECEIVE AN EMAIL WITH THE TITLE -Invoice 00317 from Sit Down Comedy Club Pty Ltd – PLEASE DELETE the email you received, we do not use Quickbook. It is SPAM and do not open it.

If you have received an ‘invoice’ [Invoice 00317] from us in the last hour or so please do not open the email or click any links. Disregard and delete.

“Invoice 00317” – the spurious fabricated invoice on the prowl!

MailChimp takes up the huge responsibility of newsletter distribution for companies and businesses that wish to avoid the hassles of sending hundreds and thousands of emails to subscribers. Now that the malware has been detected, MailChimp has intervened to ensure a secure circulation. MailChimp has now enabled a two-factor authentication and has encouraged companies using MailChimp services to reset their passwords.

MailChimp’s own Knowledge Base page of their website spells out six easy steps to follow in case of any compromise of its client’s account:

• To inform MailChimp so that they can turn off login
• Reset password
• Reset security questions and answers
• Reset username
• Reset contact information
• Change any active API keys by deleting the active ones and resetting new API keys

The page also reassures clients that any theft or any compromised accounts will not be charged. Though a little outdated page considering the closeness of the hacking incident, the page does provide two hypothetical scenarios for a compromise – a disgruntled employee or an infection with malware.

Another possible sensitive point to be corrected might be the need for MailChimp customers to ensure that MailChimp has taken a standard Software Development Life Cycle security assessment, a grey box and a black box assessment. This assessment can point out the vulnerable points giving easy access to directory that otherwise can be compromised using tools revealing all the stored usernames and passwords of customers and craft them.

Cluley also warns against the effectiveness of just a two-factor authentication, as malwares like Vawtrak has the potential to pilfer other online passwords as well. He cautions against theft of other credentials that can be subjected to misuse by the trojan. This likelihood of hijack can be avoided by changing passwords of other online services that are being used.

Freddie’s job just got multifaceted, not just a mailman, but also a policeman, a superhero, a protector!