Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Sendgrid blames lack of 2FA for mountains of spam

Richi Jennings Your humble blogwatcher, dba RJA

Email service provider Sendgrid is under mounting criticism for sending spam, phishing, and other email nasties. The company claims that a bunch of its customers’ accounts have been hacked.

But if only customers would enable 2FA, Sendgrid wails. (I paraphrase, obvs.) Unfortunately, Sendgrid’s authentication service—Authy—doesn’t really do 2FA, because an attacker can always fall back to a totally insecure second factor: SMS.

Legit customers also complain their email deliverability has fallen through the floor. It’s hardly surprising—it sounds as if many email admins have resorted to the banhammer, after giving up trying to sort Sendgrid-sourced spam from ham.

In this week’s Security Blogwatch, we’ll have the Lobster Thermidor aux crevettes with a Mornay sauce garnished with truffle paté, brandy and with a fried egg on top and Spam.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Grace Hopper.

Bloody Vikings

All aboard the Brian Krebs cycle—Sendgrid Under Siege:

Many companies use Sendgrid to communicate with their customers via email. … Sendgrid takes steps to validate that new customers are legitimate businesses. … But this also means when a Sendgrid customer account gets hacked … the threat is particularly acute because a large number of organizations allow email from Sendgrid’s systems to sail through their spam [filters].

Sendgrid is not the only email marketing platform dealing with this problem. … Dealing with compromised customer accounts is a constant challenge for any organization doing business online. [But] there has been a marked increase in malicious, phishous and outright spammy email being blasted out via Sendgrid.

Sendgrid parent firm Twilio acknowledged the company had recently seen an increase in compromised customer accounts being abused for spam. [Its CISO] Steve Pugh said the company is working on changes that would require customers to use some form of 2FA: … “This is part of the reason we acquired Authy.”

[An] individual who goes by the handle “Kromatix” … is currently selling access to more than 400 compromised Sendgrid user accounts. The pricing attached to each account is … $15 [to] $400.

2FA/MFA FTW. Torsten George adds some critical comment:

The Sendgrid hack is a reminder of the importance of identity management for all businesses. … It's actually quite shocking that an organization that works with business customers for marketing purposes didn't already have multi-factor authentication (MFA) in place for users, and implementing it as a requirement is a critical first step that should happen urgently.

It's positive to see that parent company Twilio is already working on this. [But] cybercriminals will use stolen passwords in credential stuffing attacks, which use breached details to break into other accounts.

Cred stuffing—good point. James McQuiggan agrees, sensing the effect of previously stolen credentials:

The account compromises may have occurred from previous exploits and attacks against breached organizations who also happen to use Sendgrid. Considering the users are logging in with their business email, the cybercriminals have collected millions of email and password accounts from other cyberattacks.

Without MFA, the user account will never know someone is trying to log into Sendgrid with their account.

Enable Sendgrid’s optional 2FA and all will be dunky-hory? No so fast, says tialaramex:

Authy has an obligatory SMS bypass. … Even though you can use an app to generate codes, bad guys who can SIM swap their way to your phone number can do 2FA and get into [your account].

If you can guess a company's username and password on Sendgrid there's a good chance that's enough to have Sendgrid help you send spam. … They could do much better in 2020, but there's no sign Sendgrid has any interest in doing more than the very bare minimum.

Facepalm. What’s a legitimate Sendgrid customer to do? Ditch it, says Matt Harris:

I've received some spam from sendgrid … and dutifully forwarded them with headers along to abuse@. What I've never received is any sort of follow up.

Some of these messages are spam in ways that are exceptionally obvious. … It just seems like Sendgrid doesn't care about abuse on their platform. … There's no reason to let a legitimate user's compromised account continue being used illicitly.

We'd been using Sendgrid in production. … But we're looking at changing that now because it seems like their lack of concern regarding abuse on their platform will lead to more and more deliverability issues as time goes on.

And mrsam is waiting for the other shoe to drop:

We can draw one of two possible logical conclusions:

1) Someone ran a large randomly-targeted phish/hack campaign. And it just so happens that (nearly) everyone who got compromised ended up being a sendgrid customers, with account credentials ex-filtrated from their PCs.
2) Sendgrid itself has been hacked, and had some portion of their customer base/credentials stolen.

I too noted a sudden onslew of Sendgrid spam. … Same cookie-cutter phish bait, over and over again.

After no response to abuse, I ****listed their IPs. I thought that someone's churning through Sendgrid's trial accounts, but looks like those clowns were themselves hacked.

But Dennis suggests a third possibility:

This is what basically happens when you get greedy and sell too many accounts to too many unscrupulous customers. [I] went with Amazon SES, it requires a bit more setup, but is way better and reputable and is less costly at the end.

None of this is news to Mr. Roadkill:

Maybe now that Sendgrid are getting some bad … press about it, they'll actually do something about the problem.

False positives ahoy? Silhouette voices a shady opinion: [You’re fired—Ed.]

The biggest single problem with email today … is the number of major mail providers who are acting as gatekeepers [but] doing a bad job of it. … They block way too much legitimate mail, and often do it silently, so the sender is not even aware of the problem.

Then the sender … gets the customer support requests about the missing password reset emails, or the complaints that someone didn't know they were still subscribed despite the receipt emails being sent for each payment, [etc.]

At this point, there really ought to be a blacklist for unreliable mail services on the receiving side analogous to the spam blacklists, so businesses can warn their users if given an address on a bad service and invite them to choose another.

Meanwhile, it’s too late to fix it, says Mahhn:

Sendgrid has been the worst single source of spam for at least 1 year. I have sent them logs, headers, I have called and complained to Twilio.

We gave them notice we would be blacklisting their IP ranges … the entire subnet. … We told our vendors that use them to use another source to contact us.

Sendgrid, it’s too little too late. … You are junk mail.

The moral of the story?

Whatever email service you use, ensure that it’s legit and that it uses functional 2FA/MFA—not useless SMS-based trash. You’re not a spammer, but you don’t want to share a neighborhood with one.

And finally

Grace Hopper, teaching perf like a BOSS

Hat tip: zack6849

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: freezelight (cc:by-sa)

Keep learning

Read more articles about: SecurityInformation Security