Over 3,000 email accounts were sent phishing email through a compromised Constant Contact account belonging to the U.S. Agency for International Development (USAID). Constant Contact is an email marketing platform enabling organizations to more easily reach a large number of recipients via email. By compromising the account belonging to USAID, attackers were not only able to reach everyone already receiving emails from USAID, but also leverage a trusted sender and format for the subsequent phishing attack to add credibility to the emails.
The phishing email itself is not particularly sophisticated—a very common “click to view documents” scam that results in malware being downloaded. However, by leveraging Constant Contact to send out these payloads, the attacker undoubtedly circumvented some spam and phishing protections that would likely have special rules for legitimate mass marketing services such as Constant Contact, not to mention the added familiarity of sender and format for the recipients. It's possible that recipients routinely receive emails linking to documents as well, which would further add to the effectiveness of this attack.
Phishing techniques get more sophisticated
As protections for phishing increase, mass phishing has had to become more sophisticated in its techniques—often borrowing techniques commonly used by spear phishing such as typosquatting and account takeover or impersonation. Attackers are also making attacks somewhat more targeted by tailoring phishing campaigns to particular markets or job titles by scraping publicly available information on potential targets. As such levels of targeting become easier and more automated, the gap in sophistication is closing between mass phishing—which targets numerous recipients in an attempt to play the odds that some percentage will fall for the phish—and spear phishing—which is completely tailored to the individual being targeted and thus requires significantly more effort but generally has a higher payoff if successful.
Account compromise is not new for phishing attacks. From the “help, I'm stranded in a foreign country without my passport” scams common among personal email account compromise to business email compromise scams targeting individuals within the company that the compromised account belongs to. Compromise of an account higher up the email “supply chain,” however, is new and likely influenced by the success of the SolarWinds attack allegedly by the same threat group as the USAID attack.
Weak and reused passwords along with lack of multi-factor authentication and increased compute speed and new techniques to crack passwords have certainly increased the precedence of compromised accounts, as well as their use in the attack chain of larger attacks. Tools for checking entire lists of compromised username-password combinations across a site in search of password reuse has also become very common and made it easier to compromise a variety of accounts with a single data breach. This trend will likely only increase until MFA has become widespread enough to mitigate it, making both strong passwords and enabling MFA when supported critical for protecting accounts.