• by Ray Schultz , Columnist, March 15, 2018

It was inevitable that an email service provider would be victimized by cyber criminals. And now it has happened: MailChimp is being used as the conduit for malware-infected spam, according to media reports 

They say that bad actors are accessing MailChimp’s network to send fake invoices and malware-infected messages. For example, Red Bull customer service tweets: “On Friday, March 9th, an unauthorized 3rd party accessed our email service account and an email was sent out.”

It adds: “The email posed as 'Apple' asking you to give them your Apple ID credentials. This was a phishing email intending to steal your information and was not authorized or sent with our knowledge.”

The Register writes that this spam went through Red Bull’s MailChimp account.

Email Insider could not independently confirm these reports, but MailChimp acknowledges the issue, saying: "We are taking it very seriously that our platform is being used in this way. While we can’t comment on specific security initiatives, we can tell you that a team is working full time to investigate and address the issue as quickly as possible."

MailChimp adds: "We are also working to educate impacted users around two-factor authentication and other account security measures. We expect to see an improvement soon."

Okay, what more can a company do? But this is one piece of publicity the email business doesn’t need. It’s especially dismaying because MailChimp is a trusted sender of email newsletters and many other types of communications.  

Indeed, recipients are more likely to follow links in the spam emails because they are coming via MailChimp -- so "they will ALWAYS pass all email authentication checks,” writes My Online Security Blog.

How is it happening? My Online Security Blog doesn’t know. “There are several theories ranging from a possible vulnerability in the Mailchimp Plugin or API used on websites that allows somebody to sign up for newsletters etc. from the site,” it writes. 

In January, we reported that MailChimp had plugged a hole that could have exposed the email addresses of newsletter subscribers. Recipients who visited a link from a MailChimp newsletter risked having their email address and reading habits broadcast to a site owner, according to blogger Terence Eden.

We assume MailChimp will correct the problem -- it has the capability. But this situation proves that email providers are a ripe target for malware senders and should double up on protection.