If you are following my Friday Phish Fry posts recently, you know that recently many of the links that I have examined resolve to addresses at sendgrid.com. Usually we are presented with a fake landing page with a credential-stealing form of some sort. What is this all about, anyway?
Sendgrid, as it turns out, is a legitimate marketing company that provides bulk email services, and also hosts marketing landing pages. So if you were interested in sending out a bunch of marketing mail to your customers, you could set it all up on Sendgrid. The links between the emails and the landing page allow you to see what your response rate is, how much sell-through is happening. You can also improve your results with A/B testing to see which marketing message gets the best results.
Unfortunately, this service is very attractive to and popular with phisher pholk (folk), too. In their inimitable fashion, they have been stealing Sendgrid credentials to use in their never-ending quest to separate you from your money. Sendgrid credentials to active user accounts are being sold on the Dark web for about $15 each.
The problem is that Sendgrid is a legitimate and respected company, and their email servers are validated using DMARC, DKIM, SPF, and other email validation systems. Most email spam filtering systems will let them right through into your inbox.
Twilio, the parent company of Sendgrid, is recommending and soon to require two-factor authentication to try and stave off all this illegal usage. But progress on this front is unusually slow, especially considering that Twilio bought MFA firm Authy in 2015.
Meanwhile, email admins are getting impatient with the volume of phishy email from Sendmail, and they are beginning to filter out the barrage. This is bad news for Sendgrid and their legitimate customers.
What the full story click on the link below. It will be interesting to see how this works out.
- Thanks to Brian Krebs for his article Sendgrid Under Siege from Hacked Accounts , which alerted me to the problem at Sendgrid