Root Cause Analysis — Data Theft, Mailchimp Malware—Fake Invoice Delivers Ursnif Gozi Banking Trojan

root cause analysis for mailchimp malware

One of our clients reported that users on their website had been receiving spam mail containing fake invoices. Not only that, the subject of the mail contained the website’s title giving an impression that the mail was related or possibly sent with work pertaining to the website.

Symptoms of Mailchimp Ursnif Gozi Banking Trojan

The rogue mail contained a link to download a zip file.

Here’s an example mail the client forwarded:

malchimp malware analysis

While spam is not unusual or surprising, one of the users who registered on the website reported that they had created a new email address and had never used it anywhere else. A quick Google search led to My Online Security website article containing the details.

Manual Inspections

Time to go digging.

Server and the hosted files were manually reviewed on a per-site, per-plugin, per-script basis for thoroughness. None of the files were found to be infected. A thorough security audit revealed several gaps but none indicating an infection or a compromised website (check this article for key signs that your site is infected). However after looking some more it was apparent that the affected emails were publicly visible.

Evidently a web scraper had scraped the entire website and extracted the emails from the website and added them to the Mailchimp list. This is what can happen if website configuration and security is taken lightly.

Mailchimp makes it easy to bulk upload email addresses to mailing lists—all you need is a list of emails and you can just upload and start spamming without any confirmation from the recipient.

A well-maintained and well-configured site typically does not warrant security hardening. However it is strongly recommended that sites storing user-information or sensitive, business-critical data must undergo security hardening. If you feel your website is hacked, do not panic. Here’s how to recover your hacked WordPress website.

Customer education is paramount to security awareness, yet it’s still considered an afterthought… unless disaster strikes. Are you protected?

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.