Spammers are finding it more lucrative to compromise email marketing firms and exploit their resources to send out malicious messages.
increasingly targeting email marketing firms and corporate email accounts to
power their spam campaigns, Websense Security researchers reported.
Security Labs has observed a rise in spam being sent from corporate Webmail
accounts, wrote David Saunders, email threat research team manager at Websense Security
. More and more webmail accounts belonging to email
marketing organizations are being compromised to send spam with malicious
links, Saunders said.
marketing firms have an external-facing Web portal that allows customers to log
in and manage their campaigns. These Web accounts generally require basic
password authentication. Once compromised, spammers have access to the actual
infrastructure to send out emails as well as a list of potential victims. The
management portal is often integrated with CRM services, which exposes even
more information to attackers.
marketing companies represent soft and potentially lucrative
targets," Saunders wrote.
In most cases,
employees are tricked into giving up account passwords through a phishing
attack. Webmail accounts are also subjected to brute-force attacks to uncover
accounts with weak passwords, according to Saunders. Marketing firms are
targeted especially because their Web reputation makes it more likely that
emails sent from these organizations would bypass spam filters.
compromised companies that Websense analyzed in one spam campaign also included
the customer's account name in the email address, which made it easy for
attackers to discover.
password may be all that is stopping your organization from sending your entire
customer base a malicious email," Saunders wrote.
After email marketing firm Epsilon
was compromised earlier this year, security experts
predicted that thieves might use the information to launch phishing and spam
campaigns against the victims. The list of affected Epsilon customers included
several financial organizations, major hotel chains and big retailers. Instead
of sending out emails purporting to be from JPMorgan Chase
one of the banks affected by the breach, scammers could target an exact list of
people who are unlikely to dismiss the email messages out of hand.
analyzed an email sent from a compromised account at an email marketing company
in Argentina. The account belonged to an international clothing retailer. The
Websense team was able to verify that the email came from the marketing
company's servers by checking the Sender Policy Framework records. An SPF is an
email validation system designed to prevent spam by verifying sender IP
addresses to confirm that the messages were sent by an authorized machine on
masqueraded as an order confirmation email, but all the links in the message
pointed to an Internet domain with a name similar to the company's real site
that had been registered on the day the messages were sent. If the recipient
clicked on the links in the mail, they would go to the malicious domain, which
would try to download a Zip file with a booby-trapped document onto the user's
the file through malware-tracking site VirusTotal and found that none of the
major security vendors were able to detect the fake invoice file as of Sept.
20, when the emails were first sent. Within 48 hours, however, 24 of 44 major
antivirus products were able to successfully detect and block it, according to
A day after
the first wave of spam messages went out, the attacker compromised another
account at the marketing firm and registered a new domain spoofing that
customer. Spammers switched to a different marketing provider in Australia and
compromised a travel company's account. While they registered a new domain,
they used legitimate links in the message and compromised the travel company's
Website to redirect visitors to the fake site.
additional step was probably taken to avoid basic outbound email filtering by
the marketing company," Saunders wrote.