Nordstrom Email System Compromised to Send Crypto Scam Promotions to Customers
What Happened — Threat actors gained access to Nordstrom’s Okta‑SSO and Salesforce Marketing Cloud, using the legitimate nordstrom@eml.nordstrom.com address to distribute fraudulent “St. Patrick’s Day” cryptocurrency doubling offers. At least several dozen customers received the messages, and some transferred funds to the attacker’s wallet, resulting in over $5,600 in crypto loss.
Why It Matters for TPRM —
- A breach of a vendor’s marketing platform can be leveraged to impersonate trusted communications, increasing fraud risk for downstream partners.
- Credential compromise of an SSO provider (Okta) highlights the need for strong MFA and continuous monitoring of privileged access.
- The incident demonstrates how supply‑chain services (Salesforce) can become attack vectors for otherwise unrelated industries.
Who Is Affected — Retail & e‑commerce vendors, marketing SaaS providers, SSO/identity platforms, and any third‑party that relies on Nordstrom’s email channel for customer outreach.
Recommended Actions —
- Verify that your organization does not rely on compromised Nordstrom email domains for any business communications.
- Review MFA enforcement and credential hygiene for all SSO integrations, especially Okta.
- Conduct a phishing awareness refresher for staff and customers, emphasizing verification of sender domains.
- Assess contractual security clauses with SaaS marketing providers (e.g., Salesforce) for breach notification and incident response obligations.
Technical Notes — The attackers appear to have leveraged an Okta SSO credential leak to access Salesforce Marketing Cloud, then sent phishing emails from a legitimate corporate address. No public CVEs were cited. The fraud messages contained misspellings (“Normstorm”) and a two‑hour urgency window to pressure victims. Source: BleepingComputer