In this attack, the attacker is impersonating the collaboration software provider, LogMeIn, in order to obtain the recipient’s credentials.
In May, we began to observe new email attack campaigns impersonating LogMeIn after previously seeing none. The growth in impersonations of this and many other collaborative platforms is, of course, likely due to the shift to remote work. Additionally, this attack leverages the various news stories about the troubled infrastructure and security of these platforms as a means for engaging with the victims and avoiding scrutiny.
- Platform: Office 365
- Mailboxes: > 5,000
- Victims: Employees
- Payload: Malicious Link
- Technique: Impersonation
What was the Attack?
- Setup: This attack impersonates collaboration platform provider, LogMeIn. We’ve seen an incredible uptick in collaboration software impersonations in the past month. Most of these platforms are associated with other logins (like G Suite or Office 365 logins) and can be leveraged by attackers to gain access to or assault other accounts.
- Email Attack:The email claims to be from LogMeIn informing the recipient of a patch to a zero day vulnerability in some of the company’s offerings. The user must update by following the link given that impersonates an actual LogMeIn url, but instead directs the recipient to the phishing site.
- Payload: The email contains a link to a fake login page. The anchor text and landing page appear similar to the legitimate LogMeIn page.
- Results: Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager.
Why is this attack effective?
- Timing: Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic. Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.
- Concealed URL: The link attack vector was hidden using an anchor text impersonation to make it appear to actually be directing to the LogMeIn domain.
- Imagery: Throughout this attack imagery found in legitimate LogMeIn pages are found in both the email and the phishing page. Additionally, the LastPass image shows in depth knowledge of the impersonated company and their offerings.
Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.