Since email security is an ever-changing landscape, organizations and individuals must focus on the most relevant issues to stay one step ahead of adversaries. The article combines the latest email security-related news, which will bring you up to speed with the evolving threat landscape.
1. Google May Invite Penalty After Privacy Activists Target The Tech Giant Over French ‘Spam’ Emails
A European group of activists, who go by the name NOYB (None of Your Business), said that Google infringes upon EU law by sending people direct advertising messages through Gmail.
The group, having a long history of fighting the tech giant on data privacy, sent screenshots to the French data regulator CNIL, showing marketing messages pinned on top of the user’s inbox. CNIL is the most active authority in Europe, which has earlier fined Google and Facebook heavily. The activists’ group attached the following explanations with its complaint:
- The emails were marked with a green check box and contained the word “annonce”, meaning advert in French.
- Under EU law, such marketing practice is permitted only after the user consents to it.
- Spam is commercial communication sent without the user’s consent, which is illegal.
- One cannot call spam legal if it gets generated by an email provider.
CNIL confirmed that it received the complaint, but there is currently no response from Google. Facebook’s parent company Meta and Google are embroiled in a long-running battle in Europe over their data collection practices.
The French regulator had earlier fined Google $150 million (150 million euros) and Meta 60 million euros in December because they failed to provide users with an opt-out option for cookies. These files track users across the web. The two tech giants are also facing scrutiny over their practice of forwarding EU residents’ personal data to servers in the United States.
2. Halfords Faces a £30,000 Fine From The UK Privacy Regulator for Spam Deluge
The high street retailer was fined under the Privacy and Electronic Communications Regulations (PECR) for breaking the UK law governing nuisance marketing. The regulations protect consumers from online tracking, excessive marketing, and related offenses.
The Information Commissioner’s Office (ICO) said the bike shop chain forwarded 498,179 emails to customers promoting a “Fix Your Bike” government voucher scheme. It further stated that:
- The emails encouraged customers to book a free bicycle assessment.
- Then, it asked them to redeem a £50 government voucher for the cost of repairs at Halfords stores.
- Halfords tried to defend its decision to send emails to people without their informed consent by terming it their “legitimate interest” upon investigation.
- However, since the email advertised a service offered by Halfords, which generates income from the “legitimate interest”, the ICO said it could not be termed as an alternative to consent.
Andy Curry, Head of investigations at ICO, said that it violates consumers’ privacy rights and is downright annoying. Halfords is a household name in the UK, and they expect such organizations to know and act better. He further added that the incident does not reflect the internal advice or processes; hence, a fine was imposed on the firm.
“Such incidents act as a reminder for similar organizations who must review their electronic marketing operations because we will take appropriate actions if they break the law,” he said.
3. DigitalOcean Says Some Customers Impacted From Recent Mailchimp Cyberattack
DigitalOcean, the Cloud infrastructure provider, announced this week that a recent cyberattack targeting Mailchimp might have compromised the email addresses of some of its consumers. The marketing platform Mailchimp announced that it had suspended several accounts responding to a cyberattack targeting its crypto-related users via “sophisticated social engineering and phishing tactics.”
Mailchimp further added that:
- It had suspended the accounts to safeguard user data.
- 214 user accounts got impacted.
- It quickly acted to notify the primary contacts of impacted customers and implement additional enhanced security measures.
DigitalOcean’s official communication says that Mailchimp formally notified them on August 10 about an attacker who compromised Mailchimp’s internal tooling and got unauthorized access to their accounts. DigitalOcean had already begun investigating the incident after a customer notified them about their password getting reset.
The Mailchimp account compromise exposed a few DigitalOcean customer email addresses and follow-up attempts to access DigitalOcean accounts via password reset. The company noted that the attacker made attempts from the same IP address, but not all password resets were successful. The cybercriminals could not access the accounts because of two-factor authentication even after resetting the passwords successfully.
DigitalOcean added that its security incident response team swung into action and notified the affected customers about the breach. It also moved its critical services from Mailchimp to other email service providers.
4. CISA Warns of Hackers Exploiting Multiple Vulnerabilities in the Zimbra Collaboration Suite
The CISA (Cybersecurity and Infrastructure Security Agency) posted a recent advisory that warns about threat actors actively exploiting Zimbra Collaboration Suite’s (ZCS) five exclusive vulnerabilities.
The CISA compiled the document in collaboration with the MS-ISAC (Multi-State Information Sharing & Analysis Center), which explains how cybercriminals may target unpatched ZCS vulnerabilities in private and government sector networks.
The first discovered vulnerability (CVE-2022-27924) is a high-severity vulnerability that enables an unauthenticated attacker to overwrite the arbitrary cached entries and inject arbitrary Memcache commands into the ZCS instance.
“Thus, the threat actor can steal the ZCS email credentials in cleartext form without user interaction,” the advisory read.
According to the document, the second and third vulnerabilities are chained (CVE-2022-27925, CVE-2022-37042, respectively). The former enables an authenticated user to upload infected files into the system; the latter is an authentication bypass vulnerability.
The remaining Zimbra vulnerabilities, according to the CISA report, are:
- CVE-2022-30333 is a directory traversal vulnerability (high severity) in RARLAB UnRAR on UNIX and Linux.
- CVE-2022-24682, a vulnerability impacting ZCS webmail clients (medium-severity).
While Zimbra patched the vulnerabilities between May and late July, CISA recommended administrators hunt for malicious activity through third-party detection signatures.