Hackers have reportedly taken control of an email marketing account used by the Chipotle food chain and are using the account to fool Internet users into sharing their personal information on credential-harvesting sites.
If you recently received an email from the account [mail.chipotle.com] that came with unbelievable discounts or other lures, there’s a big chance that you were targeted by malicious actors who recently hijacked the email account.
Hackers reportedly sent out about 120 emails in three days after hijacking the Chipotle marketing email account. While most of these emails contained links for malicious websites designed to mimic known brands and harvest credentials, some of them also contained malware attachments.
Email security firm Inky said that the campaign involving the hijacking of Chipotle’s Mailgun email account to target Internet users was conducted by Nobelium, a Russian government-backed hacker group that is known be behind the exploitation of flaws in Solarwinds IT monitoring platform.
“Between July 13 and July 16, 2021, INKY detected 121 phishing emails in a similar attack that originated from a compromised Mailgun email marketing account used by a large Food & Beverage Company.
“Of those 121 attacks, two were fake voicemail notifications with malware attachments (also known as vishing), 14 impersonated USAA Bank and had mail.company[.]com links that redirected to a malicious USAA Bank credential harvesting site, and the other 105 impersonated Microsoft and had mail.company[.]com links that redirected to a malicious Microsoft credential harvesting site,” the firm said.
The 105 phishing emails that impersonated Microsoft were drafted with the aim of harvesting Internet users’ Microsoft account credentials. The credential harvesting page displayed an exact replica of the Microsoft login page. Inky said this attack was highly effective as all phishing emails came from an authentic Mailgun IP address (188.8.131.52), passed email authentication (SPF and DKIM) for company[.]com, and used high reputation mail.company[.]com URLs as redirectors to malicious sites.
Commenting on hackers hijacking legitimate email accounts to trick Internet users into sharing their credentials, Steven Hope, CEO and co-founder of Authlogics, told Teiss that this is a case of two common attacks evolving into one. “In fact, it is surprising that it has taken so long to happen. The use of an account takeover due to poor credentials, combined with legitimate-looking phishing emails was just a question of time.
“Attacks are constantly getting more sophisticated and when they originate from an actual legitimate source it is impossible to rely on end user training to do the right thing. Phishing is here to stay simply because it works. To avoid becoming a victim you need to have real-time password security or utilise passwordless logon technology – both of which are readily available.
“It will get more interesting when hackers start getting into ISP DNS accounts and start changing things in there and, unfortunately, this is a question of when, not if,” he adds.
Image Source: Chipotle