Special Olympics of New York, a nonprofit organization that provides sports training and competition to more than 67,000 children and adults with intellectual disabilities, had its email server hacked and later used to launch a phishing campaign against previous donors. The malicious email was camouflaged as an alert of an impending transaction that purported to automatically debit almost two million dollars within two hours. The phishing email used a Constant Contact email marketing tracking URL that redirected the victim to the attackers’ landing page in an effort to steal donors’ credit card information. In a statement released by the Special Olympics of New York, they apologized for the incident and stated that no financial data was affected. The malicious emails have stopped, and the attacker’s website has been taken down. In a related incident, the Tokyo 2020 Summer Olympics issued a statement that they have also been the victim of malicious emails that direct donors to attackers’ webpages.
Recipients of emails that have anything to do with monetary donations should be immediately suspicious. It is recommended to not click the link in the email but go directly to the charity’s webpage if a donation is to be made. Binary Defense analysts have recently observed an increase in the number of phishing attacks that use URLs hosted by email marketing services including Constant Contact and others to disguise links to malicious websites and evade security scanners. Phishing emails are still the primary method of tricking users into installing malware and giving passwords, credit card numbers or other sensitive information to attackers.
For more information, please see: https://www.bleepingcomputer.com/news/security/special-olympics-new-york-hacked-to-send-phishing-emails/