Chipotle’s Mail Service Hacked and Recipients Served a Plate of “Phish”

• A Chipotle-own Mailgun address was abused for the dissemination of phishing emails.
• The actors behind this campaign are 'NOBELIUM', a Russian phishing group that likes to abuse mass-mailing services.
• The emails distributed to 121 recipients either contained malware or led them to phishing pages.

The restaurant chain Chipotle Mexican Grill's email service has been hacked, and customers received emails containing URLs to phishing sites. According to INKY's researchers, who have been following this case closely and shared the details with TechNadu prior to publication, 121 phishing emails were sent between July 13 and July 16, 2021, using a compromised Mailgun email marketing account belonging to Chipotle. The campaign cannot be attributed to anyone with confidence, but it resembles the techniques used by NOBELIUM, a Russian entity that is pretty active in the phishing field.

Of those attacks, two were fake voicemail notices that were in reality just malware payloads, 14 redirected to USAA Bank-themed phishing sites, and 105 impersonated Microsoft and attempted to steal the credentials of 'Office 365' accounts. The abuse of a mass-mailing platform and the pluralism in the deployed hooks in this campaign is a characteristic of the way NOBELIUM operates.

On the matter of the spoofed websites, it appears that the actors have done diligent work too. As shown below, the USAA Bank login page appears legit, using an up-to-date logo, a nicely designed dialog box, and all the accompanying content that makes a fake portal look like the real deal. The actors almost certainly cloned the real page and only changed small portions of the underlying HTML code to add the credential exfiltration part.

The main reason why this phishing campaign was so effective is precise because an authentic Mailgun IP address was used for the distribution of the emails. By doing so, the actors managed to override spam filtering and email authentication obstacles. Also, they used mail.chipotle[.]com URLs as redirection points for the phishing sites, and since the Chipotle domain has a good reputation, none of the emails were stopped from reaching their intended recipients.

This is a reminder that no email can be trusted no matter who the sender is. If you get something that makes suspicious claims, consider the possibility of the sender's address having been compromised by phishing actors. If those emails come with file attachments, it's a big red flag.

For Chipotle customers, this isn't the first time they're dealing with the results of a security incident. In August 2019, many of them reported losing access to their membership accounts on the food ordering platform, with the hackers making orders on faraway towns using their credit card balances. Chipotle officially denied having suffered a data breach back then, but the incident was independently verified not to be a wave of credential stuffing attacks.