MailChimp, the fast-growing Atlanta email marketing company, unwittingly played a part in an international cybercrime that recently led to federal indictments against three men.
The company was among several whose legitimate services, prosecutors say, were used to send spam to millions of email addresses, occassionally luring recipients into paying for bogus products such as fake security keys for software access to software suites (think: Adobe).
MailChimp helps customers reach large groups. The alleged schemers used addresses stolen from other such companies, along with sometimes bilked billing information, to set up customer accounts and transmit malicious email, said Valerie Warner Danin, MailChimp’s general counsel and privacy officer.
“To be clear, our system was not breached, no data loss occurred, and no servers or databases were compromised,” she said in a statement.
Warner Danin added that MailChimp, among other victim companies, helped the feds uncover the alleged scam after noticing supsicious activity. The scheme netted roughly $2 million dollars in ill-gotten gains, the U.S. Attorney’s Office in Atlanta said this month.
Two of the men indicted — one described as a hacker and the other a skilled spammer — are Vietnamese but operated at some point from the Netherlands, according to the indictments. One has pleaded guilty to conspiracy to commit computer fraud after being extradated to the United States. The other is a fugitive.
The third, a Canadian who helped on the financial end of the scheme, was recently arrested at Ft. Lauderdale International Airport. He was arraigned earlier this month.
At least one other email service provider in Georgia got caught up in the deception, the U.S. Attorney’s office said. The indictment did not name any of them.
Warner Danin told The Atlanta Journal-Constitution that MailChimp believes that between 2008 and March 2012 someone used its services to send spam to at least 2 million email addresses.
It worked something like this, according to both the indictment and Warner Danin:
First, tens of millions of email addresses were stolen from several companies — one of which was Texas email giant Epsilon, the blog KrebsOnSecurity recently reported — through phishing attacks against employees. They enabled one of the suspects to gain access to some of the companies' computer systems and email addresses.
The crooks then started to send out spam. In the process, they created legitimate MailChimp accounts using convincing customer credentials, enabling them to send emails via the service.
“When we detected the illegal activity we stopped sending the emails immediately,” Warner Danin said in the statement. “The accounts in our system that these messages were sent from were either fraudulently created or taken over through the end user.”
Email service provider customers, such as auto makers or retailers, upload lists of email addresses they collect. The providers then send marketing emails on the clients' behalf to tell customers about promotions or deals, and they are adept at making sure getting such messages past spam folders and into inboxes. The AJC uses MailChimp to distribute email newsletters on Georgia politics and Atlanta air travel to people who sign up for them.
Such a service can be valuable to retailers and consumers — but also enticing to spammers.
“When you think of an email service provider, people don’t automatically think that we have value. But the truth is: if you have a list of email addresses… then you have a market there,” Warner Danin told the AJC in an interview.
She cited the 2011 case in which Epsilon notified its customers — Kroger, Walgreens and Honda among them, according to KrebsOnSecurity — that hackers had stolen email lists.
About that time MailChimp tightened some of its security controls, providing its customers with text message and email security alerts, as well as multifactor authentication, among other such services, according to the cyber security blog NakedSecurity.
Warner Danin said spammers can easily fool consumers if they expect to get emails from a certain place they’ve shopped.
“If you hear (regularly) from a large company and you get an email from a large company, than maybe you aren’t checking the header, you aren’t checking the URL. If it’s close enough, you’ll click,” she said.
One reason MailChimp was able to help shut the scheme down, Warner Danin said, was its abuse prevention initiative, Omnivore. The system involves machine learning algorithms constantly churning through emails to gauge the likelihood that they are legitimate.
MailChimp also maintains an email genome project that evaluates new companies looking to send marketing emails as they sign up. Warner Danin said MailChimp has prevented hundreds of thousands of emails from being sent through both its computer tools and an internal review department that has final say on whether to block customers.
In 2013, after the indicted men’s alleged last attempt to use MailChimp, the company turned over its customer logs to law enforcement after they were subpoenaed, Warner Danin said.
“We’re obviously very glad that this investigation has brought some of these individuals to justice,” she said. “And, hopefully, it will indicate to people that these types of crimes have repercussions. That being said, sending spam is something that we’ll always have to deal with.”
