Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-06-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and 7.7.7 - DNS Parsing issue with Remote Code Exec issue resolved (Thanks for the heads up Jim!)

LogMeIn Captain! A "Not so Phishy" Phishing Campaign

Published: 2016-06-21
Last Updated: 2016-06-21 03:39:00 UTC
by Rob VandenBrink (Version: 1)
2 comment(s)

Today's story is on another (sort of) phishing campaign - the twist on this one is that the targets are .. us, again, sort of.  This one caught my eye because I've never had a logmein account - no reflection on the product, I've just always had licenses on other comparable products.

The email discusses a real situation, where a breach at one site can result in those credentials being used on a different site, because of the wide practice of folks using "the same password for everything".

The note then continues on with two "click here" links, which point to the two different websites, neither of which is "logmein.com".  

The blog entry in the email points blog.logmeininc.com is different than the blog on logmein's home page, which is at blog.logmein.com.  And accounts.logme.in is a domain that truly looks like it was set up to steal credentials.

The use of "lookalike sites" like this, where the dns name is "close but no cigar" and the content is scraped from the real site is a very widespread and successful approach - if a person is faked into clicking the first link, they almost always continue on by giving up their password or installing the malware that's hosted on the site.  This password change form looks precisely like that.

The truly ironic links in this note is that the one to the Privacy Policy and the "here's a logmein blog that explains why you should never click on links in random emails" - both of these point to logmein.com links that look "for real"

The final verdict?  This note is absolutely legitimate, they really are asking folks to reset their passwords. Unfortunately, the way the note is constructed it should be setting off alarm bells for anyone in the security business.  

This really is too bad, because the message is a good one - as Worf (STNG reference) is fond of saying, "it's always a good day to change your password"!

===============
Rob VandenBrink
Compugen

Keywords:
2 comment(s)
Diary Archives