Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Fake LogMeIn Certificate Update with Bad AV Detection Rate InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake LogMeIn Certificate Update with Bad AV Detection Rate

Published: 2014-09-22
Last Updated: 2014-09-22 15:47:36 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I just receive a pretty "plausible looking" e-mail claiming to originate from Logmein.com. The e-mail passed the first "gut check".

  • The "From" address is auto-mailer@logmein.com.
  • It was sent to an address I have used for Logmein in the past
  • The only link inside the e-mail went to a legit Logmein URL.

Of course, the .zip attachment did set off some alarm bells, in particular as it unzipped to a .scr (Screen Saver).

According to VirusTotal, AV detection is almost non-existant at this point:

LogmeIn does publish a SPF record, and the e-mail did not originate from a valid LogmeIn mail sender, so it should be easy to descriminate against these emails using a standard spam filter.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: logmein malware
5 comment(s)
Diary Archives