When Your Vendor Is Hacked, But You Pickup The Fallout

Today, I received an email claiming that I have “a shipment” waiting from DHL—not once but three times.

Investigation

I know that’s a phishing email, but what struck me was that it uses a legit email address: info (at)spinecentral.com, which I know from West London. This piqued my interest in investigating what’s going on with them. Looking at the raw header, you can see that all the security measures, SPF, DKIM, and DMARC, are met and are correct (PASS). So what is going on?

So, what do we have here?

  1. SPF record designates 168.245.51.8 as a permitted sender (so it must be manually set up in DNS), and Reverse lookup gives you o16.sg.m.dripemail2.com.
  2. spf=pass smtp.mailfrom=drip.spinecentral.co.uk; is the original email sender and allowed.
  3. dkim=pass header.i=@spinecentral.co.uk; the primary email sender is allowed.
  4. dkim=pass header.i=@sendgrid.info; additional email sender is allowed.
  5. dmarc=pass(p=NONE,sp=NONE) header.from=spinecentral.co.uk; even DMARC passed.

Now, we can read: my original email domain is spinecentral.co.uk, but I also use an additional service that sends emails from sendgrid.info. Everything appears legit.

Let’s Have A Look At The Sending Servers And Who They Are

This will be a standard Google account for the spinecentral.co.uk domain.

Sendgrid and Twillio? Hmmm… Google is your friend: sendgrid.com?

Ok, so we know now that SpineCentral used the SendGrid marketing tool. It is nothing new; many companies use some form of mass email list. So, a summary of what we do know:

  1. SpineCentral sets up SPF, DKIM, and DMARC for email security. This manual process involves multiple steps with Google, DNS service, and SendGrid.
  2. All details point to SendGrid as the issue here because the DHL email wasn’t sent by SpineCentral but on their behalf.

Let’s Have A Look At The Email Itself

Below is your link under the “Confirm sending shipment” link.

A quick search revealed that it’s using another mailing service: Drip.com.

Who is dripemail2.com?
Drip.com
Even Copilot don’t like them 😉

Follow The Crumbs

Using Windows 11 Sanbox, we copy & paste the link from the email and see what the page looks like. So Drip.com Service will send you to this “mydelivery” page. Anything you click on that page always points to the same address.

Drip email service is forwarding to this phishing page

Copying the address and opening the Incognito page will yield the same result: the package number and delivery date. It’s the same trap everyone falls into.

As you can see, they even have OTP to check your phone…

Summary

SpineCentral used a vendor, SendGrid, that most likely got hacked. This is important as their email reputation will suffer. Also, because the email used another marketing company, not many filters will stop this kind of email as you would follow three different forwarding links.

Remediation

I contacted SpineCentral, who told me they know about the issue and are trying to fix it with the vendor. They used an external marketing company that uses SendGrid on their behalf. The problem is that all this is done via email and in the US so that nothing will be done for a bit. I would remove DKIM and SPF for SendGrid to break the security in the email chain, and then email filters should stop and treat it as spam. This can be fixed once SendGrid controls it (if ever). Also, the marketing agency must change their accounts’ passwords and stop all campaigns on their account. The agency runs the campaigns and will follow down the chain if they are compromised. At this stage, it’s difficult to say who: marketing agency and/or SendGrid. If the agency cannot recover the accounts in SendGrid, then removing SendGrid from DNS is the only option to prevent more damage.

From my side, I can only report “mydelivery” URL to stop access to that page. Microsoft has already been informed, and the other engines are slowly getting wiser. Drip email delivery services were also “informed”. Let’s see how this will pan out.

16/05/2024
17/05/2024

Bonus

It sounds like I was right; this has been ongoing since August 2020 😉 SendGrid has no sense of urgency…

https://www.bleepingcomputer.com/news/security/hacked-sendgrid-accounts-used-in-phishing-attacks-to-steal-logins

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.