Information Security News
=============== Rob VandenBrink Metafore(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Todays story is on another (sort of) phishing campaign - the twist on this one is that the targets are .. us, again, sort of. This one caught my eye because Ive never had a logmein account - no reflection on the product, Ive just always had licenses on other comparable products.
The email discusses a real situation, where a breach at one site can result in those credentials being used on a different site, because of the wide practice of folks using the same password for everything.
The note then continues on with two click here links, which point to the two different websites, neither of which is logmein.com.
The blog entry in the email points blog.logmeininc.com is different than the blog on logmeins home page, which is at blog.logmein.com. And accounts.logme.in is a domain that truly looks like it was set up to steal credentials.
The use of lookalike sites like this, where the dns name is close but no cigar and the content is scraped from the real site is a very widespread and successful approach - if a person is faked into clicking the first link, they almost always continue on by giving up their password or installing the malware thats hosted on the site. This password change form looks precisely like that.
The final verdict? This note is absolutely legitimate, they really are asking folks to reset their passwords. Unfortunately, the way the note is constructed it should be setting off alarm bells for anyone in the security business.
This really is too bad, because the message is a good one - as Worf (STNG reference) is fond of saying, its always a good day to change your password" />
Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is Swift Payment Notice, pls check" />
The HTML link point to a malicious PE file called SWIFT COPY.exe (MD5:6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromizedWordpress instance andseems to containa keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 22.214.171.124 but it is not valid anymore (take down already completed?)
Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
Infosecurity Magazine (blog)
Come Spy with Me: Drones and Info-Sec
Infosecurity Magazine (blog)
As drone use increases, both for commercial applications and for recreational purposes, new challenges are emerging with regard to privacy and information security. Millions of drones are estimated to have already been sold worldwide; tens of millions ...