Phishing through e-mail marketing services

Scammers have used various tricks over the years to bypass antiphishing technologies. Another scheme with a high success rate for delivering phishing links to targets is to use e-mail marketing services, also known as e-mail service providers (ESPs) — companies that specialize in delivering e-mail newsletters — to send messages. According to statistics we’ve obtained from our solutions, the method is gaining momentum.

Why ESP-based phishing works

Companies that are serious about e-mail threats thoroughly scan all e-mail — with antivirus, antiphishing, and antispam engines — before letting messages reach users’ inboxes. The engines not only scan message content, headers, and links, but also check the reputation of the sender and any linked websites. Risk verdicts are based on a combination of those factors. For example, if a mass mailing comes from an unknown sender, it looks suspicious, sending up a red flag for security algorithms.

Attackers have found a workaround, however: sending e-mails in the name of a trusted entity. E-mail marketing services, which provide end-to-end newsletter management, fill that role perfectly. They are known; many security solution vendors allow their IP addresses are by default by; and some even skip checks on letters sent through them.

How ESPs are exploited

The main attack vector is obvious: It’s phishing disguised as a legitimate mailing. Essentially, cybercriminals become clients of the target service, usually by purchasing the minimum subscription (anything more wouldn’t make much sense, especially given that they can expect to be identified and blocked quickly).

But there exists a more exotic option: using the ESP as a URL host. Under this scheme, the newsletter is sent out through the attackers’ own infrastructure. For example, the cybercriminals can create a test campaign that contains a phishing URL, and send it to themselves as a preview. The ESP creates a proxy for that URL, and then the cybercriminals simply take the proxy URL for their phishing newsletter. Another option for scammers is to create a phishing site that appears to be a mailing template, and provide a direct link to it. But that happens less frequently.

Either way, the new proxy URL now has a positive reputation, so it won’t be blocked; and the ESP, which doesn’t handle the mailing, sees nothing wrong and doesn’t block its “client” — at least, not until they start to receive complaints. Sometimes such schemes even play a role in spear-phishing.

What do ESPs think?

Unsurprisingly, ESPs are not jumping for joy about being tools for cybercriminals.  Most of them have their own security technologies that scan the message content and links that pass through their servers, and almost all provide guidance for anyone encountering phishing through their website.

Therefore, attackers try to keep ESPs calm, too. For example, using a provider for proxies tends to delay phishing links, so at the time of creation,  links in test messages appear legitimate; only later do they become malicious.

What to do

In many cases, mass mailings are sent to company employees whose addresses are public — and even the most vigilant among us miss the occasional suspicious or malicious e-mail and click on something we shouldn’t. To protect employees against potential phishing attacks coming from an e-mail marketing service, we recommend the following:

  • Instruct staff never to open e-mails marked “mass mailing” unless they subscribed to the specific mailing list in question. Such messages are unlikely to be of urgent importance — they’re usually intrusive advertising at best.
  • Use robust security solutions that thoroughly scan all incoming e-mail using heuristic algorithms.

Among our solutions are Kaspersky Security for Microsoft Office 365 and Kaspersky Security for Mail Server, which is a part of Kaspersky Total Security for Business . They reliably protect users against this threat.