Unlucky Nordstrom customers fell victim to a St. Patrick’s Day phishing attack on Tuesday after hackers infiltrated the company’s email system through its Okta Salesforce environment.

The North American luxury department store chain began alerting customers to the scam after receiving a barrage of reports about an email appearing to come directly from an official Nordstrom address, offering a “limited time” cryptocurrency opportunity in honor of the Irish saint.

“To celebrate St. Patrick's Day, Nordstrom is giving back! For the next 2 hours only, we'll double your cryptocurrency!” the message says.

It then urges the recipient to “Send cryptocurrency” to a bitcoin wallet address listed at the bottom of the message, guaranteeing that Nordstrom will “send you right back 200% of the amount you sent.”

“For example, if you send $2500, we'll send you right back $5000 to your sending address,” it said.

Even though the message has all the hallmarks of a typical phishing attack – such as instilling a fear of missing out (FOMO) and several grammatical errors – the hackers still managed to steal about $5,600 from an unknown number of victims, according to BleepingComputer, which examined the “fraudsters' wallet address.”

The media outlet was also the first to report “that the security breach occurred via an Okta SSO > Salesforce compromise, and the scam emails were then sent to customers through Salesforce Marketing Cloud,” per a source familiar with the matter.

Nordstrom, which boasts over 33 million active customers, states about 15 million of them belong to its “Nordy Club" loyalty program, which presumably would retain email addresses in Nordstrom's internal marketing systems. That's in addition to the email addresses of the millions of customers who shop online.

"When a message comes from a real corporate email system, it bypasses many traditional security controls and immediately gains a user's trust," explained Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense.

Caldwell says that organizations must treat outbound communication systems as “high-risk attack surfaces, while consumers need to remember that even 'legitimate' emails can be weaponized, especially when they involve cryptocurrency payments.”

“If an offer sounds too good to be true, it probably is, and no information should be provided unless the offer can be verified through other means with an organization," Caldwell said.

Scam email came from official Nordstrom address

Savvy Nordstrom customers who recognized the phishing attempt right away began posting about receiving the fake emails on social media.

Bleeping Computer, as well as some users on Reddit, recognized the email address used by the hackers as legitimate, stating it is “an official address the company uses for sending marketing, sales, and promotional communication.”

About three hours after according to the Reddit user, Nordstrom began sending out its own emails asking customers to disregard the previous scam communications:

“Dear Customer, You may have received an email earlier today from [email protected] with the subject line "Limited time: We'll double your cryptocurrency."

That message was unauthorized. Please disregard it. Nordstrom will never ask customers to transact or otherwise transfer funds using cryptocurrency.

We are taking immediate action to investigate and address this issue. We apologize for any inconvenience this may cause. Sincerely, Nordstrom.”

Founded in 1901 and headquartered in Seattle, Nordstrom operates 350 department stores across the US and Canada, including its off-price retail division, Nordstrom Rack, and employs 55,000 workers.

With an annual revenue of $15 billion, the company designs, markets, and outsources the manufacturing of several private brands, selling high-end apparel, footwear, accessories, beauty products, and home goods, the Nordstrom website states.

Similar crypto scams hit other major brands

Apparently, the Nordstrom crypto scam follows similar phishing attacks targeting customers of Grubhub and the financial advisory firm Betterment.

In mid January, Betterment posted a security update on its website stating that an unauthorized individual had gained access to “third-party software platforms that Betterment uses to support our marketing and operations,” although it did not specifically mention Salesforce or Okta’s identity and access management platform by name.

“Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers,” the company said.

The Grubhub attackers reportedly crafted that phishing campaign, which took place in late December, to capitalize on a “Merry Christmas” crypto offer using the same lure promising Grubhub would “10x any Bitcoin sent to this address."

---

Unlock more exclusive Cybernews content on YouTube.