I’m sure many of you are familiar with the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches. Return Path was recently a victim of this same attack. So far, we have three blog posts on our client/marketer blog about this – you can read them here from November 24, November 25, and November 26. In short, a relatively small list of our clients’ email addresses was taken from us, meaning those addresses are now the targets of the phishing campaign that are intended to compromise those client systems.
To be sure, many of those addresses have been targets of this campaign and others like it for months prior to the attack on the Return Path system, since this campaign is specifically seeking out and attacking the email marketing and ESP community. But we are assuming, and behaving as if, any fresh campaigns are likely somehow linked to the data loss on our end.
Data was taken from us, and that security hole is now closed. However, some of our clients that are being attacked send mail from IP addresses that are Certified by Return Path. Since we jumped on this issue on the Wednesday before Thanksgiving, we have identified two sending system compromises of two of our clients. Our monitoring caught these compromises, and the compromised IPs have been removed from the Certified list.
As you might expect, investigating a data breach of this kind takes a tremendous amount of post-hoc forensic work, so it’s taken us a little while to get our arms around exactly what happened. That part isn’t particularly interesting. Here’s what those two compromises looked like, what we’ve done about them, what we’re doing to monitor more aggressively for future compromises, and what we’d like to ask of you.
What those two compromises looked like: Again, assuming both of these incidents are related to the same root cause, what likely happened is that one of our end clients was successfully phished, causing their sending systems (in one case an ESP and in another case an in-house system) to be compromised. In both cases, the sending IPs were members of our Certified program, so millions of spam messages did make it through to a couple of the mailbox operators we work with. At this point, we believe that the majority of the outbound spam through the hijacked IPs went to one mailbox operator, not to the general internet.
What we’ve done about them: In both cases, we immediately suspended the IPs from our Certified program the minute we noticed something wrong. Any of you who query the open source version of our list via DNS in real-time would have stopped recognizing those IPs as Certified; and the mailbox operators who access our list via RSync received updated versions immediately. Most of them update their list every 15 minutes. We also immediately contacted the client and began collaborating on a solution as well as investigating the breach.
What we’re doing to monitor more aggressively for future compromises: Our Certification program has a large number of data feeds provided from all around the Internet to help us monitor the health of the program. Our team has been working over this weekend to broaden those sources, update our analytic models, and add a couple more near-real-time metrics to our monitoring so that we can identify breaches more rapidly than we have in the past; these efforts will serve us well in the long-term as well as while we are on high alert around this particular incident.
What we’d like to ask of you: We’d like to ask all of you to also be on high alert for any suspicious mailing behavior, especially those seeming to come from well-known brands, IP addresses, ESPs, or via our Certification program. Please report anything you think might be useful to us by emailing us at [email protected] as quickly as possible so that we can formulate a rapid response. We are also closely coordinating our efforts with the FBI, so any information you would like funneled to them can come through us as well.
It’s frustrating that there’s not much we can do about this situation other than to put the entire ecosystem on high alert; that part, we have done, publicly and aggressively, and we will continue outreach efforts until we have contacted every ESP and marketer client by phone. We hope those efforts will largely be successful, though we can’t stop people from clicking on phishing links – and we can’t even know if any such links are rooted in our stolen data.
The coming few days will be particularly important for us to band together as a community to fight our common foe here, as people in the US return from a long holiday weekend to full inboxes, likely including some phishing attempts. We are grateful for your support and assistance on this difficult issue and remain committed to work diligently to protect our systems, our users, and our users’ downstream customers – your mailboxes – from any further harm.