Hacker News

A Sneaky Phish Just Grabbed My Mailchimp Mailing List

2025-03-258:0711770www.troyhunt.com

You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish…

You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details. But as a quick summary, I woke up in London this morning to the following:

I went to the link which is on mailchimp-sso.com and entered my credentials which - crucially - did not auto-complete from 1Password. I then entered the OTP and the page hung. Moments later, the penny dropped, and I logged onto the official website, which Mailchimp confirmed via a notification email which showed my London IP address:

I immediately changed my password, but not before I got an alert about my mailing list being exported from an IP address in New York:

And, moments after that, the login alert from the same IP:

This was obviously highly automated and designed to immediately export the list before the victim could take preventative measures.

There are approximately 16k records in that export containing info Mailchimp automatically collects and they appear as follows:

[redacted]@gmail.com,Weekly,https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/#subscribe,2,"2024-04-13 22:03:08",160.154.[redacted].[redacted],"2024-04-13 22:00:50",160.154.[redacted].[redacted],5.[redacted lat],'-4.[redacted long],0,0,Africa/Abidjan,CI,AB,"2024-04-13 22:03:08",130912487,3452386287,,

Every active subscriber on my list will shortly receive an email notification by virtue of this blog post going out. Unfortunately, the export also includes people who've unsubscribed (why does Mailchimp keep these?!) so I'll need to work out how to handle those ones separately. I've been in touch with Mailchimp but don't have a reply yet, I'll update this post with more info when I have it.

I'm enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list. Obviously, watch out for spam or further phishes and check back here or via the social channels in the nav bar above for more. Ironically, I'm in London visiting government partners, and I spent a couple of hours with the National Cyber Security Centre yesterday talking about how we can better promote passkeys, in part due to their phishing-resistant nature. 🤦‍♂️

More soon, I've hit the publish button on this 34 mins after the time stamp in that first email above.

More Stuff From After Initial Publish

Every Monday morning when I'm at home, I head into a radio studio and do a segment on scams. It's consumer-facing so we're talking to the "normies" and whenever someone calls in and talks about being caught in the scam, the sentiment is the same: "I feel so stupid". That, friends, is me right now. Beyond acknowledging my own foolishness, let me proceed with some more thoughts:

Firstly, I've received a gazillion similar phishes before that I've identified early, so what was different about this one? Tiredness, was a major factor. I wasn't alert enough, and I didn't properly think through what I was doing. The attacker had no way of knowing that (I don't have any reason to suspect this was targeted specifically at me), but we all have moments of weakness and if the phish times just perfectly with that, well, here we are.

Secondly, reading it again now, that's a very well-crafted phish. It socially engineered me into believing I wouldn't be able to send out my newsletter so it triggered "fear", but it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top.

Thirdly, the thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain. For example, here's my Qantas entry:

And the final thought for now is more a frustration that Mailchimp didn't automatically delete the data of people who unsubscribed. There are 7,535 email addresses on that list which is nearly half of all addresses in that export. I need to go through the account settings and see if this was simply a setting I hadn't toggled or something similar, but the inclusion of those addresses was obviously completely unnecessary. I also don't know why IP addresses were captured or how the lat and long is calculated but given I've never seen a prompt for access to the GPS, I imagine it's probably derived from the IP.

I'll park this here and do a deeper technical dive later today that addresses some of the issues I've raised above.

The Technical Bits

I'll keep writing this bit by bit, starting with the API key that was created:

This has now been deleted so along with rolling the password, there should no longer be any persistent access to the account.

Unfortunately, Mailchimp doesn't offer phishing-resistant 2FA:

By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered. On that note, another ridiculous coincidence is that in the same minute that I fell for this attack, I'd taken a screen cap of the WhatsApp message below and shown Charlotte - "See, this reinforces what we were talking about at the NCSC yesterday about the importance of passkeys":


Read the original article

gpi

Karma: 787
...
 @Hacker__News
@hacker._news

Comments

  • By OtherShrezzing 2025-03-258:482 reply

    >There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.

    This is a huge issue at the moment. For some reason, tonnes of companies have decided it's OK to have you register online at www.corporate-domain.com, and then have the login service hosted at corporate-domain-account.onmicrosoft.com, with emails arriving from mailhost.corporate-domain-mail-services.com.

    • By cge 2025-03-2511:081 reply

      This is also a problem for organizations internally.

      I have a university email where IT tries to train people to recognize legitimate vs phishing emails by whether the login is on some onmicrosoft.com domain no one remembers. It then mangles all links in emails, so users without clients that demangle them can't actually see whether a link goes to that domain. And, of course, legitimate logins often involve redirects. With wide use of SSO, users can also expect login screens to appear while in a variety of vaguely related places, from journals, to news sites, to various subscription services. This is in the context of a login system that always requires otp, regardless of 'remember this device' settings, practically ends up needing at least one login per week for staff, and reportedly, can require students log in (with otp!) multiple times per day, so the login process is so frequent it is trivialized, and being careful with each login would take an enormous amount of time in total.

      To further confuse things, IT repeatedly sends out fake phishing emails with links to Microsoft-owned domains with valid Microsoft SSL certificates.

      I expect IT would respond that these arrangements satisfy all requirements they have, and that the solution is more user training and online webinars.

    • By fc417fc802 2025-03-259:072 reply

      I never understood this. Is there some reason not to use subdomains?

  • By stavros 2025-03-258:274 reply

    Yep, this has happened to me as well. Ever since that incident, I've treated "password manager isn't filling in my credentials" as a MAJOR red flag, rather than as "ugh, technology is being flaky again".

    Unfortunately, phishing can happen to anyone.

    • By sebazzz 2025-03-2517:211 reply

      Actually, knowledge how bad large corporations can work can work against you. I got myself Easyjet scammed after a delayed flight, after being tired from being a day late and having walked long distances. Not noticing a tiny typo on the Twitter account, then be redirected to a fairly generic (no Easyjet logo) but legitimately looking Helpdesk account and I though “Oh yeah, this would totally happen in the large corp I worked where some half baked 3rd party product is used for a Whatsapp helpdesk” in combination with me being tired cost me a few hunderd euros.

    • By williamdclt 2025-03-259:412 reply

      Yeah, it’s rare that 1P fails to recognise the website, I always get suspicious. Most of the time when it fails it’s on random crappily made niche websites anyway, for which I wouldn’t care if my credentials were stolen!

    • By vintermann 2025-03-259:401 reply

      Security policy in my company disables saving of passwords and disallows password managers.

    • By pixxel 2025-03-2522:00

      [dead]

  • By dspillett 2025-03-259:042 reply

    This sort of thing is why every company and every mailing list has a different address for me. Once one is compromised, it goes direct to /dev/null.

    It is also why I'm paranoid about ad-tech stalking. Even if I trust the company originally collecting & collating my activities¹ the resulting data is one good phish or other hack away from being in the hands of someone who might make use of it to, for instance, attempt to spear-fish² me. If someone who literally "does security" for a living and is reputed to be good/knowledgeable on the area can get caught then so can someone working for a company that likely takes security less seriously or is simply less experienced in the area.

    ----

    [1] which, of course, I don't

    [2] or attempt to blackmail me, though that truly would only be an attempt, there is nothing I do online that would surprise/shock/endanger my friends/family/employer.

    • By Scoundreller 2025-03-2517:35

      > This sort of thing is why every company and every mailing list has a different address for me. Once one is compromised, it goes direct to /dev/null.

      It's not just a matter of dev nulling something compromised, but also to make it difficult to know where to send a phishing attack to.

      Troy did half of that. He used mailchimp@_______ for this, so it might have been guessed, or leaked elsewhere, and he won't be able to narrow down which.

      And if someone sees your facebook@______ leaked elsewhere, it's not a stretch to assume you use mailchimp@_____ or twitter@_____ or...

      Should use something totally random. Or maybe first 10 chars of hash(servicename + common salt) so you don't have to keep track of too much. Or something similar with encrypt the service name with your GPG key and take the first 10 ascii of the output.

    • By sleepydog 2025-03-2510:041 reply

      For the read-only, newsletter-type mailing lists, this makes sense and I do it too. But for mailing lists that are used more as a forum, I like posting with a recognizable, memorable email address. I've gotten some really sweet emails from people who read a post I made and reached out to me directly in the past. I wouldn't want to miss those, spam be damned.

HackerNews

About