Nonprofit organization Special Olympics New York hacked and its server used to send phishing emails

Special Olympics of New York, a nonprofit organization focused on competitive athletes with intellectual disabilities was hacked.

Special Olympics New York provides inclusive opportunities for people with intellectual disabilities to compete in Olympic-style, coached sports.

Unfortunately, the nonprofit organization was hacked during the Christmas holiday and the attackers later used its email server to launch a phishing campaign against its donors.

“Friends, Boo! As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies. While donating to Special Olympics NY is always a good idea, we would never ask in such a grinchy way.” wrote Stacey Hengsterman, President & CEO of Special Olympics NY, in a post published on Instagram.

“We immediately heard from so many of you and for that we are grateful.We are sorry for the inconvenience and hope you are all enjoying your holiday season!”

The organization disclosed the hack and announced to have locked out the attackers, it also sent a data breach notification to affected people, recommending them to disregard the last received message from the organization.

SVP of External Relations for Special Olympics NY Casey Vattimo announced the hack via Twitter, and confirmed that the situation was restored.

FWIW: If anyone does want to make a secure donation, now’s the time. All amounts are being tripled through Dec. 31st courtesy of @FinishLine! https://t.co/hstRRhsgeU— Casey Vattimo (@CVattimo) December 27, 2019Special Olympics New York reported that intrusion only affected the “communications system” that contained donors’ contact information, it also pointed out that no financial data was exposed.

The phishing messages sent to the donors alerted them of an impending donation transaction that would automatically debit $1,942,49 from the target’s account within two hours.

Using this trick attackers aimed at tricking the victims into clicking on one of the two embedded hyperlinks that were redirecting them to a PDF version of the transaction statement.

Source Bleeping Computer

“Please review and confirm that all is correct, if you have any questions, please find my office ext number in the statement and call me back,” read the content of the phishing emails. “It is not a mistake, i verified all twice. Thank you, have a great weekend.”

The phishing email utilized a Constant Contact tracking URL that redirected the victims to a page designed to steal donors’ credit card details.

Casey Vattimo added that users could now make donations without problems, she also added that all amounts donated to Special Olympics NY through December 31 will be tripled courtesy of Finish Line.

The post Nonprofit organization Special Olympics New York hacked and its server used to send phishing emails appeared first on Security Affairs.