Source URL: https://simonwillison.net/2025/Apr/4/a-sneaky-phish/
Source: Simon Willison’s Weblog
Title: A Sneaky Phish Just Grabbed my Mailchimp Mailing List
Feedly Summary: A Sneaky Phish Just Grabbed my Mailchimp Mailing List
In further evidence that phishing attacks can catch out the most sophisticated among us, security researcher (and operator of ‘;–have i been pwned?) Troy Hunt reports on how he fell for an extremely well crafted phishing attack against his MailChimp account which then exported his full list of subscribers, including people who had unsubscribed (data which MailChimp stores and continues to make available).
This could happen to any of us:
I’ve received a gazillion similar phishes before that I’ve identified early, so what was different about this one? Tiredness, was a major factor. I wasn’t alert enough, and I didn’t properly think through what I was doing.
Troy’s account was protected by authenticator app 2FA, but the phishing site (on the realistic sounding mailchimp-sso.com domain) asked for that code too and instantly proxied it through to MailChimp – somewhat ironic as Troy had been promoting phishing-resistant passkeys on his trip to London, a technology that MailChimp doesn’t offer yet.
There are a bunch of interesting details here. I appreciated this point about how short-lived authentication sessions can reduce account security by conditioning users to expect constant login requests:
I also realised another factor that pre-conditioned me to enter credentials into what I thought was Mailchimp is their very short-lived authentication sessions. Every time I go back to the site, I need to re-authenticate and whilst the blame still clearly lies with me, I’m used to logging back in on every visit. Keeping a trusted device auth’d for a longer period would likely have raised a flag on my return to the site if I wasn’t still logged in.
It looks like MailChimp preserve the email addresses of unsubscribed users to prevent them from being re-subscribed by future list imports. Troy discusses this issue at length in further updates to the post.
Via Bruce Schneier
Tags: security, passkeys, troy-hunt, phishing
AI Summary and Description: Yes
Summary: The text describes a phishing attack experienced by security researcher Troy Hunt, focusing on the unexpected vulnerability that led to him compromising his Mailchimp account despite using two-factor authentication (2FA). The case highlights the nuances of user behavior and authentication practices that can undermine security.
Detailed Description: The narrative revolves around a phishing attack that Troy Hunt, a well-known security researcher, fell victim to, despite his expertise in identifying such threats. The incident serves as a valuable lesson for professionals in security, as it emphasizes the potential pitfalls in user behavior and authentication protocols.
– **Phishing Attack Dynamics:**
– The attack was sophisticated, using a domain that mimicked Mailchimp to extract Hunt’s credentials, including his 2FA code.
– Hunt’s previous experiences with similar phishing attempts made him oversensitive to the threat, yet his tiredness impaired his vigilance.
– **Impact of User Behavior on Security:**
– The reliance on short-lived authentication sessions conditioned Hunt’s expectations of frequent logins, potentially lowering his guard and leading to the successful phishing.
– This incident underscores how even seasoned professionals can be susceptible to social engineering tactics under certain conditions (e.g., fatigue).
– **Critique of Security Practices:**
– Hunt notes the irony of successfully promoting phishing-resistant technologies while being a victim himself, highlighting the gap between security measures available and their practical implementation by platforms like Mailchimp.
– The practice of retaining unsubscribed user emails raises ethical considerations regarding user data retention and privacy, as it could be exploited if not securely managed.
Overall, this incident showcases the critical need for continuous education on phishing, the importance of user awareness in security practices, and the discussion about how companies manage user data and authentication practices. Security and compliance professionals should note the lessons learned regarding the availability of robust security tools and the human factor’s impact on security effectiveness.