Malware-Laced Emails Appear to Come From LogMeIn

LogMeIn Phishing

Spam emails pretending to be a security update for LogMeIn users, including a new security certificate countering Heartbleed attacks, are making the rounds, warns the SANS Institute.

The SANS Internet Storm Center yesterday warned users and administrators to be on the lookout for malicious emails purporting to come from the security and authentication firm LogMeIn. For it’s part, LogMeIn is aware of the attacks, and has issued a number of warnings to its customers on its blog and various social networking channels.

Johannes Ullrich, head of the ISC, explained in a post that he received an email claiming to contain a security update for LogMeIn users. Within that email message was a .zip file that the senders described as a new security certificate that would protect users against the OpenSSL Heartbleed vulnerability from earlier this year. The fake certificate was also touted as a way of connecting the user-machine downloading the certificate with that user’s LogMeIn account.

In reality, the attachment contained a suspicious .scr (screen saver) file. Also in the email was a link to the actual LogMeIn website, perhaps a further attempt at lending legitimacy to the message.

This attack stands out from the ceaseless torrent of spam emails that at times constitutes nearly 70 percent of global email traffic for a couple of reasons. One of those reasons is that the email address behind the scam is auto-mailer@logmein.com, appearing to originate from a legitimate, LogMeIn email account. Another reason is that Ullrich at one point had a LogMeIn account established with the email address that received the malware-laden message.

“LogmeIn does publish a [sender policy framework] record, and the e-mail did not originate from a valid LogmeIn mail sender, so it should be easy to discriminate against these emails using a standard spam filter,” Ullrich explained.

While setting up a rule to filter this particular email seems like a fairly easy fix, the malware hidden in the email message had a very low antivirus detection rate on VirusTotal, just two of 53 products detected the sample when Ullrich checked. However, while it is impossible to say for certain without having a copy of the malware file, it is very likely that the number of detections has risen significantly following Ullrich’s report.

LogMeIn posted a picture of the email on their Blog:

LogMeIn Phishing

LogMeIn Spam

“We’ve seen reports of a fake (presumably phishing) email making the rounds, and as part of our ongoing commitment to security, we wanted to make sure our users and the public, at large, were both aware of the reports and educated on how to identify suspicious emails,” LogMeIn security researcher Attila Torok said. “According to the reports, the email subject line contains the phrase ‘LogMeIn Security Update’ and it has been designed to make it look like it is coming from a LogMeIn email address.”

Torok went on to explain that the email did not come from LogMeIn and that the company would never ask users to update an SSL certificate.

Suggested articles

Discussion

  • Regina Valluzzi on

    I have a different email claiming to be from Logmein. It also looks like a phishing attempt. How do I send it to you?
  • Phil on

    I received this scam today with an E-Mail attachment which I won't be opening. Dear client, Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers. Your credit card has been successfully charged. Date : 17/2/2015 Amount : $999 ( you saved $749.75) The transaction details can be found in the attached receipt. Your computers will be automatically upgraded the next time you sign in. Thank you for choosing LogMeIn!
    • Crystal Girgenti on

      Phil, I got the same email and then today I received one that said "Automatic payment failed - Credit Card rejected" with an attachment. Dear customer, Your subscription for LogMeIn Central Plus service will end within 72 hours. You are receiving this notification because the automatic payment has failed. ( Credit card - declined ) For more information, please find the payment invoice attached to this letter. Payment must be submitted before 21/02/2015, in order to avoid delays and service interruptions. Thank you for using LogMeIn I know it's malicious because LogMeIn never had my cc#. This is very concerning!
  • marion on

    I received the same email this morning. As I have never had 25 computers I am sure it is spam but warned my card provider as a couple of years ago I did use the software. I was thinking of buying it again but not now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.