'Unusually Large Number' of Breached SendGrid Accounts Are Sending Spams and Scams (krebsonsecurity.com) 13
Krebs on Security reports:
Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid's parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime...
[A] large number of organizations allow email from Sendgrid's systems to sail through their spam-filtering systems. To make matters worse, links included in emails sent through Sendgrid are obfuscated (mainly for tracking deliverability and other metrics), so it is not immediately clear to recipients where on the Internet they will be taken when they click...
Rob McEwen is CEO of Invaluement.com, an anti-spam firm whose data on junk email trends are used to improve the spam-blocking technologies deployed by several Fortune 100 companies. McEwen said no other email service provider has come close to generating the volume of spam that's been emanating from Sendgrid accounts lately. "As far as the nasty criminal phishes and viruses, I think there's not even a close second in terms of how bad it's been with Sendgrid over the past few months," he said...
Neil Schwartzman, executive director of the anti-spam group CAUCE, said Sendgrid's two-factor authentication plans are long overdue, noting that the company bought Authy back in 2015. "Single-factor authentication for a company like this in 2020 is just ludicrous given the potential damage and malicious content we're seeing," Schwartzman said... Schwartzman said if Twilio doesn't act quickly enough to fix the problem on its end, the major email providers of the world (think Google, Microsoft and Apple) — and their various machine-learning anti-spam algorithms — may do it for them.
Krebs found an online cybercriminal selling access to more than 400 compromised Sendgrid accounts. "Accounts that can send up to 40,000 emails a month go for $15, whereas those capable of blasting 10 million missives a month sell for $400."
[A] large number of organizations allow email from Sendgrid's systems to sail through their spam-filtering systems. To make matters worse, links included in emails sent through Sendgrid are obfuscated (mainly for tracking deliverability and other metrics), so it is not immediately clear to recipients where on the Internet they will be taken when they click...
Rob McEwen is CEO of Invaluement.com, an anti-spam firm whose data on junk email trends are used to improve the spam-blocking technologies deployed by several Fortune 100 companies. McEwen said no other email service provider has come close to generating the volume of spam that's been emanating from Sendgrid accounts lately. "As far as the nasty criminal phishes and viruses, I think there's not even a close second in terms of how bad it's been with Sendgrid over the past few months," he said...
Neil Schwartzman, executive director of the anti-spam group CAUCE, said Sendgrid's two-factor authentication plans are long overdue, noting that the company bought Authy back in 2015. "Single-factor authentication for a company like this in 2020 is just ludicrous given the potential damage and malicious content we're seeing," Schwartzman said... Schwartzman said if Twilio doesn't act quickly enough to fix the problem on its end, the major email providers of the world (think Google, Microsoft and Apple) — and their various machine-learning anti-spam algorithms — may do it for them.
Krebs found an online cybercriminal selling access to more than 400 compromised Sendgrid accounts. "Accounts that can send up to 40,000 emails a month go for $15, whereas those capable of blasting 10 million missives a month sell for $400."
Not news to mail admins... (Score:5, Informative)
Re: (Score:3)
Additionally, in the past you got a near immediate response from sendgrid abuse and a zendesk ticket reference. Not at the moment. I sent them one of the SPAM samples and there has been no response.
Allowing Sendgrid through by default (Score:4, Informative)
I've thought that was stupid for a LONG time. We block it by default, because they've been sending spam for years.
Re:Allowing Sendgrid through by default (Score:4, Interesting)
I've thought that was stupid for a LONG time. We block it by default, because they've been sending spam for years.
Nice, and i can't say I blame you. I wish I could get away with that, but there are too many users at work who need stuff sent by organisations that use Sendgrid. Yes, even the easier/cheaper service with the sendgrid.net envelopes. Including a few Shadow IT things bought by various departments, which have become business-critical.
Re:Allowing Sendgrid through by default (Score:4, Interesting)
Same here - I allow two domains (Score:3)
As I recall, I allow two domains from Sendgrid.
Those, I strongly suggested that they get a dedicated server/ip, from Sendgrid or preferably from someone else.
Re: (Score:3)
I've thought that was stupid for a LONG time. We block it by default, because they've been sending spam for years.
I have clients who use them. I haven't seen any allowing by default. I have seen their shared servers get on SORBS backlists.
Got real bad about 5 weeks ago (Score:5, Insightful)
I blocked sendgrid in my spam filter on July 27th after the second wave of phishing emails showed up. Unblocked for a few hours the other day after a complaint. Problem is still ongoing, of course, which is why it was only for a few hours.
10-15 years ago, I was draconian - I would have looked up their ASN and routed all of their IP blocks to the bit bucket without telling anyone. I miss those days. Much easier than explaining to my users that they need to explain to their vendor that their vendor needs a new mail service provider.
Waiting for the other shoe to drop (Score:3, Interesting)
Although sendgrid is a large outfit, it's not like they provide service to a notable fraction of commercial E-mail senders on the interwebs.
Given that established fact, we can draw one of two possible logical conclusion:
1) Someone ran a large randomly-targeted phish/hack campaign. And it just so happens that (nearly) everyone who got compromised ended up being a sendgrid customers, with account credentials ex-filtrated from their PCs.
2) Sendgrid itself has been hacked, and had some portion of their customer base/credentials stolen.
So, which one is more likely, folks?
I too noted a sudden onslew of Sendgrid spam, a few months ago. Same cookie-cutter phish bait, over and over again. After no response to abuse, I shitlisted their IPs. I thought that someone's churning through Sendgrid's trial accounts, but looks like those clowns were themselves hacked.
wait what? (Score:3, Informative)
all of Sendgrid needs to be RBL'd (Score:2)
Aside from Sendgrid constantly sending out scams and viruses, it has a virtually nonexistent abuse response program. They ignore complaints. The top level ISPs and major RBL maintainers should blacklist them and put them out of business. This is a good example of a poorly managed company that should not be allowed to send out ANY e-mails until they control their servers.