A Mailgun account used by Chipotle was compromised last month, resulting in 121 phishing emails, security firm Inky reports.
The incident was similar to an earlier one in which the Russian threat actor NOBELIUM attacked Constant Contact, Inky says.
Seen by Inky between July 13 and July 16, the phishing attack compromised Chipotle's email marketing account and used it to redirect victims to malicious sites. Those who clicked were exposed to credential harvesting and malware.
Two of the phishing emails consisted of vishing attacks: fake voicemail notifications with malware attachments, Inky says.
The platform was Office 365, and the target Microsoft and USAA users. According to the report, 14 of the phishing emails tried to impersonate USAA, a financial services company
“The scam emails contained mail.company[.]com links that redirected to a malicious USAA Bank credential-harvesting site,” Inky states.
Inky said: “This attack was highly effective because all phishing emails came from an authentic Mailgun IP address (220.127.116.11), passed email authentication (SPF and DKIM) for company[.]com, and used high reputation mail.company[.]com URLs as redirectors to malicious sites.”
Analysis of the email headers revealed that “the messages originated from Mailgun servers (postgun.com and mailgun.net) and passed email authentication for company[.]com,” Inky adds.
Mailgun provided this statement: "Mailgun security teams are aware of a phishing campaign targeted at Chipotle and USAA customers. While this is not the result of any platform-level vulnerabilities or data breach, we assist with and support the full investigation of this incident."
Mailgun continues that it "routinely assists customers in their incident investigations by providing logs and other forensic information to help determine the root cause of credential leaks. The Mailgun platform includes multi-factor authentication, session timeout preferences, role-based access control, and other security features to prevent unauthorized logins."