The SANS Internet Storm Center yesterday warned users and administrators to be on the lookout for malicious emails purporting to come from the security and authentication firm LogMeIn. For it’s part, LogMeIn is aware of the attacks, and has issued a number of warnings to its customers on its blog and various social networking channels.
Johannes Ullrich, head of the ISC, explained in a post that he received an email claiming to contain a security update for LogMeIn users. Within that email message was a .zip file that the senders described as a new security certificate that would protect users against the OpenSSL Heartbleed vulnerability from earlier this year. The fake certificate was also touted as a way of connecting the user-machine downloading the certificate with that user’s LogMeIn account.
In reality, the attachment contained a suspicious .scr (screen saver) file. Also in the email was a link to the actual LogMeIn website, perhaps a further attempt at lending legitimacy to the message.
This attack stands out from the ceaseless torrent of spam emails that at times constitutes nearly 70 percent of global email traffic for a couple of reasons. One of those reasons is that the email address behind the scam is firstname.lastname@example.org, appearing to originate from a legitimate, LogMeIn email account. Another reason is that Ullrich at one point had a LogMeIn account established with the email address that received the malware-laden message.
“LogmeIn does publish a [sender policy framework] record, and the e-mail did not originate from a valid LogmeIn mail sender, so it should be easy to discriminate against these emails using a standard spam filter,” Ullrich explained.
While setting up a rule to filter this particular email seems like a fairly easy fix, the malware hidden in the email message had a very low antivirus detection rate on VirusTotal, just two of 53 products detected the sample when Ullrich checked. However, while it is impossible to say for certain without having a copy of the malware file, it is very likely that the number of detections has risen significantly following Ullrich’s report.
LogMeIn posted a picture of the email on their Blog:
“We’ve seen reports of a fake (presumably phishing) email making the rounds, and as part of our ongoing commitment to security, we wanted to make sure our users and the public, at large, were both aware of the reports and educated on how to identify suspicious emails,” LogMeIn security researcher Attila Torok said. “According to the reports, the email subject line contains the phrase ‘LogMeIn Security Update’ and it has been designed to make it look like it is coming from a LogMeIn email address.”
Torok went on to explain that the email did not come from LogMeIn and that the company would never ask users to update an SSL certificate.