Cryptocurrency hardware wallet owners are being targeted by a phishing scam spread via Mailchimp email distribution services.
Trezor, the manufacturer of crypto wallets, announced on social media that its customers are being sent fake data breach notifications via its newsletters powered by Mailchimp.
The company claimed that an “insider” is to blame for the phishing attacks, which Trezor says are also targeting other cryptocurrency firms.
“MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies,” the tweet reads.
“We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected.”
Suspicious finds
Mailchimp confirmed to The Daily Swig that the incident was discovered on March 26 by its security team, who became aware of a malicious actor accessing internal tools used for customer support and account administration
The company said that the phishing attacks were “propagated” by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.
Siobhan Smyth, Mailchimp’s CISO, said: “We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected.
“We also conducted a robust investigation and engaged outside forensic counsel to understand what happened and the impact.
“Based on our investigation, we found that 319 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts.
“Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance, all of whom have been notified.”
Further risks
Smyth said that the investigation also found that some accounts’ API keys posed a potential vulnerability. Out of an abundance of caution, the API keys were disabled, said Smyth, and protections were implemented.
“As a result of the security incident, we’ve received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts.
“When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access.
“We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”
Smyth added: “We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers. We take pride in our security culture, infrastructure, and the trust our customers place in us to safeguard their data.
“We’re confident in the security measures and robust processes we have in place to protect our users’ data and prevent future incidents.”
Trezor said that it will not be communicating by newsletter until the situation is resolved, advising users not to open any emails appearing to come from Trezor until further notice.
“Please ensure you are using anonymous email addresses for bitcoin-related activity,” the company added.