Phishing Alert: Fake Emails Mimic LogMeIn Activation Emails

In light of recent news around the Yahoo breach, we are getting reports from both the general public and LogMeIn customers about suspicious emails that are designed to look like they are coming from LogMeIn — they have all the hallmarks of phishing attempts.

All of the reports are meant to look like a LogMeIn activation email. The email subject line is: Activate your account” or “Verify your new LogMeIn ID.”

We want to make it clear that these did NOT come from LogMeIn and people should NOT click on the links in these emails.   While we are working with our partners to remove these malicious websites, as part of our commitment to security, we want to make sure our users and the public are aware of this specific email, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell-tale signs of phishing attacks.

View the entire post on our corporate blog at blog.logmeininc.com.

         

PASSWORD REUSE ISSUE AFFECTING SOME LOGMEIN USERS

This excerpt is from a post that originally appeared on our official corporate blog: 

“…Today we began proactively resetting some LogMeIn users’ passwords. So we wanted to let both these users and the rest of our customer base understand why. The short version is these users’ credentials were on a list making the rounds on the web — credentials taken from high profile breaches at companies like LinkedIn, Tumblr and MySpace. Here’s a bit more.

What happened?

As you may have seen in the news, lists of hundreds of millions of user credentials taken from past breaches (mostly at social networks) are now being used for a variety of recent nefarious activity on high profile sites like Netflix and Facebook.

LogMeIn actively looks for situations where the accounts of our users could be at risk—even if the threat is external to our service. In this particular case, we identified users who may be at risk because of password reuse. Out of an abundance of caution, we proactively reset those users’ LogMeIn passwords…”

View the entire post on our corporate blog at blog.logmeininc.com.

 

 

         

Two phishing emails making the rounds

We’re getting reports from both LogMeIn users and the general public of suspicious emails. These appear to be part of a blanket phishing attempt. While there are some differences, all of the reports we’ve received are meant to appear as receipts with subject lines like “Your LogMeIn Pro payment has been processed!” and “Order Confirmation #789508 for <your email address>.” We want to make it clear that these did NOT come from LogMeIn and people should not click on or open any of the attachments in the email. As part of our commitment to security, we want to make sure our users and the public are aware of this specific email, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

 Also, please note that LogMeIn employs DMARC, SPF and DKIM on emails sent from a @logmein.com address. These allow the recipient email server to make sure that the email was sent from an authorized source and that its contents are intact.

The checks are performed on the receiver side. All major email providers, for example Google, Yahoo and Outlook.com support these standards.

If you received a one of these emails, please contact your email administrator and point her to this web site http://dmarc.org/, as your email server is not checking for DMARC.

The email subject lines are:

  • Your LogMeIn Pro payment has been processed!
    Or
  • Order Confirmation #789508 for <your email address>

Intended behavior/action: Tries to get you to open corresponding attachment or a link, which contains malicious file.

The email body text examples are:

Example one:
Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.

Your credit card has been successfully charged.

Date : 17/2/2015
Amount : $720 ( you saved $549.75)

The transaction details can be found in the attached receipt.

Your computers will be automatically upgraded the next time you sign in.

Thank you for choosing LogMeIn!

Example two:
Dear customer,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.

Your order has been processed and your credit card has been charged.

For more information regarding this order, please review the attached order confirmation invoice.

To open the invoice, Microsoft Word must be installed on your computer and macros feature must be enabled.

LogMeIn Account: <your email address>
Date : 30 March 2015
Amount : $720
Credit Card : XXX-XXX-XXXX-8012

Your computers will be automatically upgraded the next time you sign into your account.

Thank you for choosing LogMeIn!

As with all suspicious emails, please don’t open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

Phishing alert: Fake emails mimic LogMeIn receipts

We’re getting reports from both the general public and LogMeIn customers about suspicious emails that are designed to look like they are coming from LogMeIn — they have all the hallmarks of phishing attempts.  All of the reports have the same headline and text. And all are meant to look like a receipt of purchase. The email subject line is: Your LogMeIn Pro payment has been processed!” We want to make it clear that these did NOT come from LogMeIn and people should not click on or open any of the attachments in the email. As part of our commitment to security, we want to make sure our users and the public are aware of this specific email, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

The email subject line is: Your LogMeIn Pro payment has been processed!
Intended behavior/action: Tries to get you to open corresponding attachment, which contains malicious file.
The email body text is:

Dear client, 

 Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers. 
 Your credit card has been successfully charged. 

 Date : 17/2/2015 
 Amount : $999 ( you saved $749.75) 

 The transaction details can be found in the attached receipt. 
 Your computers will be automatically upgraded the next time you sign in. 

 Thank you for choosing LogMeIn! 

    logmein_pro_receipt.doc (95)
As with all suspicious emails, please don’t open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.
         

CUSTOMER ALERT: NEW PHISHING EMAILS MIMIC INVOICES

We’ve getting reports from both LogMeIn customers and the general public about suspicious emails that are designed to look like they are coming from LogMeIn addresses — they have all the hallmarks of phishing attempts.  The email subject lines vary slightly, but include language about an ‘Invoice’ and ‘Credit Card Declined.’  We want to make it clear that these did NOT come from LogMeIn and people should not click on any of the links in the emails.

As part of our commitment to security, we want to make sure our users and the public are aware of these specific emails, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

Example subject lines on the emails are:

Email 1: LogMeIn Payment Invoice #48209182 – Credit Card declined

Email 2: LogMeIn Central Invoice #67018011 – Credit Card declined

Intended behavior/action:

Tries to lure you to click on a link to a fake invoice page.

What they look like:

Email (text/copy):

Dear client,

Your LogMeIn Central subscription is due to expire on December 11, 2014.

We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds)

Please remit the payment for the due invoice before Dec 11, 2014 to avoid service interruption.

The payment invoice has been issued and can be downloaded from our website :

<LINK REMOVED FOR SAFTEY>

If the problem persists, contact us to complete your payment.

Thank you for choosing LogMeIn

As with all suspicious emails, please don’t click on any links or open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

POODLE and LogMeIn: What You Need to Know

The security community recently identified a new vulnerability in the SSLv3 protocol, known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This article helps you understand POODLE and the steps you should take to protect your systems. We also discuss steps we are taking at LogMeIn to protect you against POODLE and similar vulnerabilities now and into the future.

Are LogMeIn Products vulnerable?
The latest versions of LogMeIn products and services are not impacted by POODLE. Since the vast majority of our customers receive auto-updates, most users can rest assured that they are protected against such attacks. We’ve included the latest version numbers below and have provided an easy way to check your version and update if required.

How about your browser?
It’s important to understand that only the older SSLv3 protocol is vulnerable. Most modern browsers support protocols other than SSLv3, so unless you are using Internet Explorer 6 (IE 6), you’re in good shape. If you are using IE 6, we strongly recommend that you upgrade to Internet Explorer 7 (or above) or choose an alternative browser, such as Firefox, Opera or Chrome.

Use this third-party service to check your browser for vulnerability: https://www.poodletest.com/

If you remain on IE 6, keep in mind that IE 6 is NOT SUPPORTED and you will experience problems:

  • From any LogMeIn website, you will receive the following message:  “Internet Explorer cannot display the webpage”
  • When attempting to use the LogMeIn Client, you will be unable to login or connect

But there’s a slight catch…
Even modern browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. Even when both sides of the connection support higher, more secure protocols, an active man-in-the-middle POODLE attack can utilize the one-sided weakness and downgrade the connection to SSLv3 and exploit the protocol’s vulnerability to gain access to the encrypted connection.

And a solution!
If either side of the connection explicitly disallows SSLv3 then the vulnerability cannot be exploited.

  • As a browser user, it’s best to disable SSLv3 in your browser. This will actually be done for you in the next versions of most popular browsers, such as Firefox and Chrome.
  • As someone running a webserver (like LogMeIn), the best thing to do is totally disable SSLv3 on the server side. And that’s just what LogMeIn will do. To ensure security of all users, we will disable SSLv3 support on our webservers starting today (20th October). The only small downside to this change is that anyone still using Internet Explorer 6 (which does not support the latest protocols) will no longer be able to communicate with any LogMeIn websites.
  • Going above and beyond what’s needed to respond to POODLE, we will disable SSLv3 support on all other servers from in coming weeks. This will impact all older versions of LogMeIn products : After this update, only the versions listed below (or newer) will able to access LogMeIn services.

Addition detail about how POODLE works
POODLE represents a broad vulnerability that can potentially allow an attacker to gain access to the contents of encrypted communications. As discussed above, browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. By simulating a failure when establishing a connection to server, an adversary can trick a browser and server into renegotiating their connection via an older protocol (SSLv3). Since the POODLE vulnerability is inherent to the protocol itself, not the server, the problem cannot be patched out like ShellShock and HeartBleed.

Latest LogMeIn product versions

The latest versions of LogMeIn products are NOT affected by the POODLE vulnerability. Here is a list of the latest versions, as well as instructions on how to quickly determine which version you are running and how to manually upgrade, if necessary.

  • LogMeIn Pro (LogMeIn Host v4.1.0.4408 and above on Windows or v4.1.0.4405 and above on Mac)(LogMeIn Client version 1.3.422 for Windows and 4.1.4587 for Mac) – How to check
  • Rescue Technician Console, Calling Card 7.4 or newer — How to check: Technician Console Options > About LogMeIn Rescue; Calling Card Settings > About
  • Cubby 1.0.0.12648 – How to check
  • join.me 1.17.0.156 – How to check
  • RemotelyAnywhere 11.3.2821 – Latest available here
  • AppGuru – Not impacted by POODLE due to LogMeIn webserver updates
  • Xively – Not impacted by POODLE due to LogMeIn webserver updates
  • Hamachi – Not impacted by POODLE
  • Backup 3.0.789 – How to check
  • Meldium — Not impacted by POODLE

 


         

Customer alert: New phishing emails mimic invoices, encryption update

We’ve had reports from LogMeIn customers, as well as the general public, that a couple emails are making the rounds that mimic LogMeIn branding and are designed to look like they are coming from LogMeIn addresses. The MO looks very different — one purports to be a notification that “LogMeIn.com is moving to 1024 bit encryption from 128 bit” and the other is designed to appear as an invoice — and its not clear if they are coming from the same malicious source/entity.  Both appear to be phishing attempts, and we want to make it clear that these did NOT come from LogMeIn.

As part of our commitment to security, we want to make sure our users and the public are aware of these specific emails, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

The subject lines on the emails are:

Email 1: “LogMeIn.com is moving to 1024 bit encryption from 128 bit – Update”

Email 2: “Your most recent LogMeIn invoice no. 8573984893 is attached for your review.” (please note the invoice number is likely altered per email)

Intended behavior/action:

Email 1: Tries to lure you to click on a link to a fake login page. The URL goes to a .su address, NOT logmein.com

Email 2: Tries to get you to open a .zip file attachment.

Both of these are classic red flags in phishing emails.

What they look like:

Email 1 (image)

Phishing mail 1

Email 1 (text/copy):

Dear,

Because the security of your online session is most important to us , and to maintain the quality of the services offered on our website we have decided to upgrade the encryption algorithm from 128 bits to 1024 bits , and to encrypt the passwords using the MD5 algorithm.
The MD5 algorithm is undecryptable, so if anyone manages to get passed our security systems, your information will be safe. But in order to apply this new algorithm on our entire system , we require you to login over a secure connection and update the username and password of your every computer using Logmein system.
Please click on the link below to begin the update process :

<hyperlink removed for safety reasons>

After the update is complete you will be redirected to your account , and will be able to use our new encryption system.Even if you won`t notice any differences rest assured that your online session has never been safer.

Email 2 (text/copy)

Your most recent LogMeIn invoice no. 8573984893 is attached for your review.

If you have any questions regarding this invoice, please contact your LogMeIn service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing LogMeIn for your business solutions.

Important: Please do not respond to this message. It comes from an unattended mailbox.

As with all suspicious emails, please don’t click on any links or open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

Update on Bash Shell Vulnerability (aka ‘Shellshock’) and LogMeIn Products

You may have heard about the CVE-2014-6271 and CVE-2014-7168 bash shell vulnerability, aka Shellshock. As part of our commitment to security, we wanted to provide an update on what this means for our customers. After investigating this issue, we can confirm that LogMeIn services are NOT affected by Shellshock, and for many customers, no additional action is required to protect against this vulnerability.

Important note for Mac OS X users:

Mac OS X itself is potentially impacted by the Shellshock vulnerability. Like many Mac applications, LogMeIn ‘client’ applications on Mac OS – including LogMeIn Pro Host, LogMeIn Pro Client, Rescue Technician Console Desktop App and Rescue Applet – do use bash to run scripts. Please note that this vulnerability is not in our products. It will have to be addressed through patches for OS X itself. We do not plan to release any of our own product updates related to this issue.

We do recommend that customers running LogMeIn ‘client’ applications on Macs upgrade their Bash versions on Mac OS X, as soon as Apple makes these available. [updates now available. please see UPDATE section at end of post]

If you’re worried, though, there is a way to manually update your GNU bash version to a more secure one: http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

We will continue to monitor and will provide an update to this post as soon as a Mac OS X patch is available.

[UPDATE]

As pointed out by Stuart Bryant in the comments below, Apple has just released an update to address the Shellshock vulnerability.

For users running OS X Mavericks (OS X 10.9) , you can download the update here: http://support.apple.com/kb/DL1769

If you’re running an older version of OS X 10.8 or before, you can get the Mountain Lion version here: http://support.apple.com/kb/DL1768 or the Lion version here: http://support.apple.com/kb/DL1767

 

 

         

Reports of Fake LogMeIn Security Email

We’ve seen reports of a fake (presumably phishing) email making the rounds, and as part of our ongoing commitment to security, we wanted to make sure our users and the public, at large, were both aware of the reports and educated on how to identify suspicious emails.  According to the reports, the email subject line contains the phrase “LogMeIn Security Update” and it has been designed to make it look like it is coming from a LogMeIn email address. Please note that this email did NOT come from LogMeIn — we will never ask you to update your SSL certificate. And like any suspicious email, you should not download or open any attachments, and you should avoid clicking on any links.

We’ve included an image of the suspicious email below. Our security team has also created a quick primer on how to avoid phishing attacks.

Fake SSL certificate email from LogMeIn_9.22.14

 

         

New Government Advisory of PoS Malware Serves as a Security Reminder

The US government today posted an advisory regarding newly identified malware, dubbed Backoff, that has been tied to recent PoS (point-of-sale) data breach investigations.  Many of the findings and recommendations reinforce our ongoing commitment to — and stance on — security when it comes to remote access technology.  We encourage all of our PoS customers to take a look at the advisory.  And if nothing else, it should serve as another important reminder when it comes to password best practices and phishing.

As part of our ongoing commitment to customer security, we provide a wide variety of built-in features that our customers can employ to further secure their environments, and we continue to take steps to educate all of our customers on how to best protect themselves from security threats like phishing and malware.

You can learn more about the security best practices we recommend when it comes to passwords here, including how you can take advantage of our built-in security features like two-factor authentication – additional steps/details can be found on our help site, for example here and here.

We also encourage sharing our tips on how to identify and protect yourself against phishing attempts.