Jul 18, 2011

Hackers and spammers prefer compromised email accounts

ZDnet recently posted a report from Commtouch about how spammers and hackers seem to be trending away from botnets, and going after compromised personal email and social accounts instead (hotmail, gmail, facebook, etc).  They found that of the spam sent from Hotmail, almost 30% came from compromised accounts. Perhaps not so coincidentally, Hotmail just released a new "my friend’s been hacked" reporting mechanism.

Even though these reports center around personal webmail services and personal social accounts, ESP customers should look into beefing up their security as well.

Over the last couple years, attacks on ESPs have been on the rise. Sometimes, the ESP has been breached, but more commonly it’s an end user (or the end-user’s marketing agency) that unwittingly gives their account credentials to spammers (usually via malware on their computers).

So here’s a not-so-gentle reminder to MailChimp users, and especially MailChimp users who manage multiple accounts: GO ACTIVATE OUR SECURITY FEATURES.

In case you missed the recent announcements:

New Feature: Generate Strong Passwords

Also, when it’s time for you to change your MailChimp account’s password, you’ll notice a new "generate strong password" feature we’re rolling out in v6.1:
We all know you should be generating some good, strong passwords (see: 3 billion passwords per second: are strong passwords enough?).
We thought we’d make that process a little easier with the "Generate Strong Password" button. When you click that, we’ll create a random, 16-character password for you. After you click the arrow to have it pasted into the password field, we’ll provide you with an opportunity to print that password out for safe keeping:
Sure, you could just try memorizing that insane password, but you won’t. And unless you’re plugging this into a password manager right now (like 1password or KeePass or LastPass), we figured you might need a handy, wallet-size print out:
By the way, this whole "print-a-card" thing is similar to the process you’d go through if you activate 2-factor authentication for Google Apps, like Gmail. We’ve heard anecdotes of ESP customers (especially their marketing agencies and consultants) getting their accounts breached via spear-phishing emails delivered to their personal inboxes that appear to be from contacts and friends (also see: Social Engineering Was Key to Google Hack). So in addition to activating MailChimp’s security features, you should look into activating additional security features in Gmail and your social apps too (see: Facebook’s login approvals).
All of these security measures can be a bit daunting and maybe even a little depressing, but if you manage email and have access to a large list, I think we "just have to deal."