Compromised MailChimp Accounts Exploited in Malware Distribution Campaign

Several recent open source reports indicate that a malicious email campaign attempting to deliver the Gootkit banking trojan to victims is originating from MailChimp, an email marketing platform. My Online Security suggests that MailChimp is an attractive distribution vector for these campaigns because emails originating from the platform pass authentication checks and many mail providers whitelist MailChimp by default as it is commonly used by various organizations to send legitimate mass emails. One victim reports that a malicious actor gained unauthorized access to his MailChimp account and imported a list of 250,000 subscribers, spamming them with malicious emails and subsequently deleting the evidence from the account’s “Sent” folder. He believes that, had he enabled two-factor authentication (2FA) on his MailChimp account, the compromise may have been prevented. It is not yet confirmed whether compromised account credentials or an unaddressed MailChimp vulnerability are to blame for the unauthorized account access. The NJCCIC recommends all MailChimp account users enable 2FA on their accounts as soon as possible and inspect their accounts for suspicious activity. If any accounts are suspected of sending malicious emails, report the issue to the MailChimp Abuse Desk immediately.