Chipotle email marketing hacked to send phishing emails

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

Cybercriminals have begun sending out phishing emails after they were able to gain access to one of the email marketing accounts used by the US-based Mexican food chain Chipotle.

According to a new blog post from the email security company Inky, those behind the campaign sent out at least 120 malicious emails in just three days from a hacked Mailgun account that the food chain uses for email marketing.

Cybercriminals often try to obtain legitimate email addresses from businesses as they increase the chances of their phishing emails being delivered since they'll be able to bypass authentication methods including DomainKeys Identified Mail (DKIM) and Sender Policy Framework.

While the majority of the phishing emails sent from Chipotle's hacked Mailgun account led users to credential-harvesting sites, a small number also had attachments which contained malware.

Compromised Mailgun account

Many of the emails sent out from the hacked Mailgun account led users to a fake Microsoft login page with the aim of harvesting their credentials. According to Inky, 105 of the 120 malicious emails it detected tired to harvest users Microsoft account credentials.

The emails themselves appeared as if they came from the “Microsoft 365 Message center” and the body of these emails informed recipients that their messages could not be delivered as a result of low email storage in the cloud. When a user then clicked on a button labeled “release messages to inbox”, they would be redirected to a fake login page used to collect their credentials.

In addition to Chipotle, the cybercriminals behind this recent campaign also impersonated the United Services Automobile Association (USAA) and tricked users to visiting a phishing site that appeared to be legitimate at a first glance. The remaining fake emails posed as voicemail notifications that also contained malware attachments.

To prevent falling victim to this and similar phishing scams, Inky recommends that users pay close attention to any discrepancies between a sender's display name (Microsoft, USAA, VM Caller ID” and the message's actual email address.

After the publication of this story, Mailgun reached out to TechRadar Pro with the following statement on the matter:

"Mailgun security teams are aware of a phishing campaign targeted at Chipotle and USAA customers. While this is not the result of any platform-level vulnerabilities or data breach, we assist with and support the full investigation of this incident. Mailgun routinely assists customers in their incident investigations by providing logs and other forensic information to help determine the root cause of credential leaks. The Mailgun platform includes multi-factor authentication, session timeout preferences, role-based access control, and other security features to prevent unauthorized logins."

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.