Email Marketing Platforms - a Hacker's Delight?

Protecting the credentials of your Office 365, VPN and those of your cloud-based storage services is imperative. But there is another cloud-based service which many organisations are subscribed to which could easily be your next cyber-attack blind spot.
 
Like serving it on a plate to a hacker…

Your email marketing platform is a hacker’s delight. Think about that for a second. It has ready-made lists of recipients. It is already trusted by your customers. It is also trusted by their email gateway or endpoint security software. And it’s one of those services which is often forgotten about by MSPs and IT admins, which means it’s probably not protected by two-factor authentication. What’s more even using the most basic OSINT tools, a miscreant can quickly identify what email marketing software your organisation is using. Taking all these factors into consideration – your email marketing platform could be just like serving it on a plate to a hacker.



The case of USAID…

And this is exactly what happen to USAID – the US State Department’s foreign aid agency. The regal-sounding “Nobellium” cyber-criminal group infiltrated their Constant Contact email platform. They then proceeded to send out malware-laden emails to 3000 addresses belonging to more than 150 humanitarian and aid organisations. If the recipients opened the attachments or links in these emails, their systems and networks would then be compromised. The Nobellium group really don’t mess about. These were the same folks who launched the attack on SolarWinds (December 2020) using an equally oblique angle of attack.
 
Your customers or other stakeholders probably won’t take it too kindly if they discover your email system was used to hack them...
 
You should not underestimate the damage that can be caused if hackers infiltrate your email marketing platform. Not only could your email marketing software be used to send out bogus invoices, but like with the USAID attack, it could be used to propagate data-stealing malware under your name. Your customers or other stakeholders probably won’t take it too kindly if they discover your efmail system was used to hack them.
 
Preventing this sort of attack from happening in the first place…
 
Thankfully most email marketing software providers such as Mail Chimp, Campaign Monitor, Zoho Campaigns and Hubspot now offer two-factor authentication. This means that even if a hacker does steal your password, they will still need another “factor” of authentication such as an SMS verification code to access your account. But probably one of the most potent preventative measures against this type of attack is cyber security awareness training. This conditions your staff to think like hackers and be aware of cyber and information security risks from all sources not just email. Don't let your email marketing platform become your next cyber blind spot.