Digital attackers compromised an email server owned by Special Olympics NY and then abused it to target donors with phishing emails.

The attack emails told recipients that an automatic donation transaction of $1,942.49 would register on their accounts within the next two hours. The email then asked recipients to review a PDF statement to confirm that the alleged transaction’s details were correct. Towards that end, the email instructed victims to preview their statement by clicking on a link.

A sample of the phishing email. (Source: Bleeping Computer)

This link, which was a Constant Contact tracking URL, redirected recipients to the phishers’ landing page. That asset is no longer available. However, it’s likely that digital attackers used that page to steal recipients’ personal and/or financial information.

Officials at Special Olympics NY, a nonprofit organization that hosts an athletic competition for more than 67,000 children and adults with special needs in New York State, disclosed the security incident in an email notification sent out to donors. It specifically asked donors to disregard the email.

As quoted by Bleeping Computer:

While donating to us is always a good idea, we would never ask in such a grinchy way. The hack was to our communications system, which only includes your contact information and not any financial data. Please be assured that your contact information is protected and has been kept confidential.

Casey Vattimo, SVP of external relations for Special Olympics NY, went on to tell donors that the issue is now fixed and that they can once again securely make donations.

It’s not clear from its email notice how digital attackers initially compromised the nonprofit organization’s communication system. It’s possible that malicious actors used another phishing email in their effort to seize control of the targeted email server.

Given that possibility, organizations (Read more...)