Home Chipotle’s email marketing platform used in phishing campaign

Chipotle’s email marketing platform used in phishing campaign

Contributed by Aaron Rose, Office of the CTO, Check Point Software

July 30–Chipotle Mexican Grill, an American “fast casual” restaurant chain, has fallen victim to a cyber attack.  According to the report, attackers compromised one of Chipotle’s email marketing accounts to access the service known as MailGun.

The attackers proceeded to launch their own marketing campaign of sorts. Between July 13 and July 16 the account was used to send phishing messages to users.  Approximately 120 malicious emails were sent to Chipotle customers with the majority directing users to credential harvesting sites.

The image to the right depicts an example of a credential harvesting site discovered by Check Point Research, which was used in a previous phishing campaign. Chipotle attack

The phishing emails employed a variety of techniques. Some attempted to harvest the victim’s Microsoft credentials, others impersonated USAA Federal Savings Bank, and a small fraction were fake voicemail notifications with malware attachments.

In the case of fraudulent voicemail notifications, the attachments -posing as an un-played audio message- would deliver malware to the recipient’s device once clicked.  Researchers did not disclose the specific malware used, or its purpose, but one could reasonably assume the malware would either attempt to steal sensitive credentials or serve as a backdoor for future nefarious endeavors.

This attack is eerily similar to the NOBELIUM phishing attack earlier this year.  First exposed by Microsoft’s Threat Intelligence Center, the phishing attack leveraged the email marketing platform ConstantContact to target over 3,000 individuals across 150 organizations.  While this latest example of a phishing attack isn’t quite as complex as the NOBELIUM incident, both attacks leveraged popular email marketing platforms to send messages that appeared to be from legitimate organizations.

At this time, it’s unclear as to how the attackers gained access to the email marketing platform, but this author wouldn’t be surprised if a successful phishing attack against an unsuspecting employee led to the compromised MailGun credentials.

In the wake of 2020, the year of “work from anywhere,” many corporations are feeling the effects of employees working remotely, often using both corporate owned and insecure personal devices to access SaaS services.  It’s paramount that organizations incorporate anti-phishing technologies and identity protection into their security strategies.