Phishing alert: Fake emails mimic LogMeIn receipts

We’re getting reports from both the general public and LogMeIn customers about suspicious emails that are designed to look like they are coming from LogMeIn — they have all the hallmarks of phishing attempts.  All of the reports have the same headline and text. And all are meant to look like a receipt of purchase. The email subject line is: Your LogMeIn Pro payment has been processed!” We want to make it clear that these did NOT come from LogMeIn and people should not click on or open any of the attachments in the email. As part of our commitment to security, we want to make sure our users and the public are aware of this specific email, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

The email subject line is: Your LogMeIn Pro payment has been processed!
Intended behavior/action: Tries to get you to open corresponding attachment, which contains malicious file.
The email body text is:

Dear client, 

 Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers. 
 Your credit card has been successfully charged. 

 Date : 17/2/2015 
 Amount : $999 ( you saved $749.75) 

 The transaction details can be found in the attached receipt. 
 Your computers will be automatically upgraded the next time you sign in. 

 Thank you for choosing LogMeIn! 

    logmein_pro_receipt.doc (95)
As with all suspicious emails, please don’t open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.
         

CUSTOMER ALERT: NEW PHISHING EMAILS MIMIC INVOICES

We’ve getting reports from both LogMeIn customers and the general public about suspicious emails that are designed to look like they are coming from LogMeIn addresses — they have all the hallmarks of phishing attempts.  The email subject lines vary slightly, but include language about an ‘Invoice’ and ‘Credit Card Declined.’  We want to make it clear that these did NOT come from LogMeIn and people should not click on any of the links in the emails.

As part of our commitment to security, we want to make sure our users and the public are aware of these specific emails, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

Example subject lines on the emails are:

Email 1: LogMeIn Payment Invoice #48209182 – Credit Card declined

Email 2: LogMeIn Central Invoice #67018011 – Credit Card declined

Intended behavior/action:

Tries to lure you to click on a link to a fake invoice page.

What they look like:

Email (text/copy):

Dear client,

Your LogMeIn Central subscription is due to expire on December 11, 2014.

We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds)

Please remit the payment for the due invoice before Dec 11, 2014 to avoid service interruption.

The payment invoice has been issued and can be downloaded from our website :

<LINK REMOVED FOR SAFTEY>

If the problem persists, contact us to complete your payment.

Thank you for choosing LogMeIn

As with all suspicious emails, please don’t click on any links or open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

POODLE and LogMeIn: What You Need to Know

The security community recently identified a new vulnerability in the SSLv3 protocol, known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This article helps you understand POODLE and the steps you should take to protect your systems. We also discuss steps we are taking at LogMeIn to protect you against POODLE and similar vulnerabilities now and into the future.

Are LogMeIn Products vulnerable?
The latest versions of LogMeIn products and services are not impacted by POODLE. Since the vast majority of our customers receive auto-updates, most users can rest assured that they are protected against such attacks. We’ve included the latest version numbers below and have provided an easy way to check your version and update if required.

How about your browser?
It’s important to understand that only the older SSLv3 protocol is vulnerable. Most modern browsers support protocols other than SSLv3, so unless you are using Internet Explorer 6 (IE 6), you’re in good shape. If you are using IE 6, we strongly recommend that you upgrade to Internet Explorer 7 (or above) or choose an alternative browser, such as Firefox, Opera or Chrome.

Use this third-party service to check your browser for vulnerability: https://www.poodletest.com/

If you remain on IE 6, keep in mind that IE 6 is NOT SUPPORTED and you will experience problems:

  • From any LogMeIn website, you will receive the following message:  “Internet Explorer cannot display the webpage”
  • When attempting to use the LogMeIn Client, you will be unable to login or connect

But there’s a slight catch…
Even modern browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. Even when both sides of the connection support higher, more secure protocols, an active man-in-the-middle POODLE attack can utilize the one-sided weakness and downgrade the connection to SSLv3 and exploit the protocol’s vulnerability to gain access to the encrypted connection.

And a solution!
If either side of the connection explicitly disallows SSLv3 then the vulnerability cannot be exploited.

  • As a browser user, it’s best to disable SSLv3 in your browser. This will actually be done for you in the next versions of most popular browsers, such as Firefox and Chrome.
  • As someone running a webserver (like LogMeIn), the best thing to do is totally disable SSLv3 on the server side. And that’s just what LogMeIn will do. To ensure security of all users, we will disable SSLv3 support on our webservers starting today (20th October). The only small downside to this change is that anyone still using Internet Explorer 6 (which does not support the latest protocols) will no longer be able to communicate with any LogMeIn websites.
  • Going above and beyond what’s needed to respond to POODLE, we will disable SSLv3 support on all other servers from in coming weeks. This will impact all older versions of LogMeIn products : After this update, only the versions listed below (or newer) will able to access LogMeIn services.

Addition detail about how POODLE works
POODLE represents a broad vulnerability that can potentially allow an attacker to gain access to the contents of encrypted communications. As discussed above, browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. By simulating a failure when establishing a connection to server, an adversary can trick a browser and server into renegotiating their connection via an older protocol (SSLv3). Since the POODLE vulnerability is inherent to the protocol itself, not the server, the problem cannot be patched out like ShellShock and HeartBleed.

Latest LogMeIn product versions

The latest versions of LogMeIn products are NOT affected by the POODLE vulnerability. Here is a list of the latest versions, as well as instructions on how to quickly determine which version you are running and how to manually upgrade, if necessary.

  • LogMeIn Pro (LogMeIn Host v4.1.0.4408 and above on Windows or v4.1.0.4405 and above on Mac)(LogMeIn Client version 1.3.422 for Windows and 4.1.4587 for Mac) – How to check
  • Rescue Technician Console, Calling Card 7.4 or newer — How to check: Technician Console Options > About LogMeIn Rescue; Calling Card Settings > About
  • Cubby 1.0.0.12648 – How to check
  • join.me 1.17.0.156 – How to check
  • RemotelyAnywhere 11.3.2821 – Latest available here
  • AppGuru – Not impacted by POODLE due to LogMeIn webserver updates
  • Xively – Not impacted by POODLE due to LogMeIn webserver updates
  • Hamachi – Not impacted by POODLE
  • Backup 3.0.789 – How to check
  • Meldium — Not impacted by POODLE

 


         

Customer alert: New phishing emails mimic invoices, encryption update

We’ve had reports from LogMeIn customers, as well as the general public, that a couple emails are making the rounds that mimic LogMeIn branding and are designed to look like they are coming from LogMeIn addresses. The MO looks very different — one purports to be a notification that “LogMeIn.com is moving to 1024 bit encryption from 128 bit” and the other is designed to appear as an invoice — and its not clear if they are coming from the same malicious source/entity.  Both appear to be phishing attempts, and we want to make it clear that these did NOT come from LogMeIn.

As part of our commitment to security, we want to make sure our users and the public are aware of these specific emails, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

The subject lines on the emails are:

Email 1: “LogMeIn.com is moving to 1024 bit encryption from 128 bit – Update”

Email 2: “Your most recent LogMeIn invoice no. 8573984893 is attached for your review.” (please note the invoice number is likely altered per email)

Intended behavior/action:

Email 1: Tries to lure you to click on a link to a fake login page. The URL goes to a .su address, NOT logmein.com

Email 2: Tries to get you to open a .zip file attachment.

Both of these are classic red flags in phishing emails.

What they look like:

Email 1 (image)

Phishing mail 1

Email 1 (text/copy):

Dear,

Because the security of your online session is most important to us , and to maintain the quality of the services offered on our website we have decided to upgrade the encryption algorithm from 128 bits to 1024 bits , and to encrypt the passwords using the MD5 algorithm.
The MD5 algorithm is undecryptable, so if anyone manages to get passed our security systems, your information will be safe. But in order to apply this new algorithm on our entire system , we require you to login over a secure connection and update the username and password of your every computer using Logmein system.
Please click on the link below to begin the update process :

<hyperlink removed for safety reasons>

After the update is complete you will be redirected to your account , and will be able to use our new encryption system.Even if you won`t notice any differences rest assured that your online session has never been safer.

Email 2 (text/copy)

Your most recent LogMeIn invoice no. 8573984893 is attached for your review.

If you have any questions regarding this invoice, please contact your LogMeIn service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing LogMeIn for your business solutions.

Important: Please do not respond to this message. It comes from an unattended mailbox.

As with all suspicious emails, please don’t click on any links or open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

Update on Bash Shell Vulnerability (aka ‘Shellshock’) and LogMeIn Products

You may have heard about the CVE-2014-6271 and CVE-2014-7168 bash shell vulnerability, aka Shellshock. As part of our commitment to security, we wanted to provide an update on what this means for our customers. After investigating this issue, we can confirm that LogMeIn services are NOT affected by Shellshock, and for many customers, no additional action is required to protect against this vulnerability.

Important note for Mac OS X users:

Mac OS X itself is potentially impacted by the Shellshock vulnerability. Like many Mac applications, LogMeIn ‘client’ applications on Mac OS – including LogMeIn Pro Host, LogMeIn Pro Client, Rescue Technician Console Desktop App and Rescue Applet – do use bash to run scripts. Please note that this vulnerability is not in our products. It will have to be addressed through patches for OS X itself. We do not plan to release any of our own product updates related to this issue.

We do recommend that customers running LogMeIn ‘client’ applications on Macs upgrade their Bash versions on Mac OS X, as soon as Apple makes these available. [updates now available. please see UPDATE section at end of post]

If you’re worried, though, there is a way to manually update your GNU bash version to a more secure one: http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

We will continue to monitor and will provide an update to this post as soon as a Mac OS X patch is available.

[UPDATE]

As pointed out by Stuart Bryant in the comments below, Apple has just released an update to address the Shellshock vulnerability.

For users running OS X Mavericks (OS X 10.9) , you can download the update here: http://support.apple.com/kb/DL1769

If you’re running an older version of OS X 10.8 or before, you can get the Mountain Lion version here: http://support.apple.com/kb/DL1768 or the Lion version here: http://support.apple.com/kb/DL1767

 

 

         

Reports of Fake LogMeIn Security Email

We’ve seen reports of a fake (presumably phishing) email making the rounds, and as part of our ongoing commitment to security, we wanted to make sure our users and the public, at large, were both aware of the reports and educated on how to identify suspicious emails.  According to the reports, the email subject line contains the phrase “LogMeIn Security Update” and it has been designed to make it look like it is coming from a LogMeIn email address. Please note that this email did NOT come from LogMeIn — we will never ask you to update your SSL certificate. And like any suspicious email, you should not download or open any attachments, and you should avoid clicking on any links.

We’ve included an image of the suspicious email below. Our security team has also created a quick primer on how to avoid phishing attacks.

Fake SSL certificate email from LogMeIn_9.22.14

 

         

New Government Advisory of PoS Malware Serves as a Security Reminder

The US government today posted an advisory regarding newly identified malware, dubbed Backoff, that has been tied to recent PoS (point-of-sale) data breach investigations.  Many of the findings and recommendations reinforce our ongoing commitment to — and stance on — security when it comes to remote access technology.  We encourage all of our PoS customers to take a look at the advisory.  And if nothing else, it should serve as another important reminder when it comes to password best practices and phishing.

As part of our ongoing commitment to customer security, we provide a wide variety of built-in features that our customers can employ to further secure their environments, and we continue to take steps to educate all of our customers on how to best protect themselves from security threats like phishing and malware.

You can learn more about the security best practices we recommend when it comes to passwords here, including how you can take advantage of our built-in security features like two-factor authentication – additional steps/details can be found on our help site, for example here and here.

We also encourage sharing our tips on how to identify and protect yourself against phishing attempts.

         

Customer Security Tips

As part of our ongoing commitment to customer security, we’d like to offer our customers some advice on IT security and user password best practices, and how to better utilize the multiple layers of security that are built into LogMeIn products.

Some important user password best practices include:

  • Use two-factor authentication that is simple, free and available on all LogMeIn products
  • Create a unique, complex password for every account, device and system
  • Consider using a password safe application to generate secure passwords and store them safely
  • Never use simple passwords like “password” or “12345”
  • Always use complex passwords of at least eight characters in length, including upper- and lower-case letters, numbers and symbols

The above tips are especially relevant in efforts to protect against scam “phishing” tactics. For more detailed information on how to identify and avoid fraudulent emails,  click here.

         

Avoiding Phishing Attacks

What is Phishing?

Phishing is an email scam designed for identity theft. The most successful phishing emails are typically disguised to look like they come from a known or reputable source. These emails usually contain attachments or download links to malicious software, such as keystroke loggers, banking trojans, spywares, and rootkits. A keystroke logger is one of the most dangerous threats. An attacker can use a keystroke logger to steal user names and passwords as you type, including credentials to your emails, remote computers, HR systems, etc.

Tips on how to identify a fraudulent email

Legitimate organizations typically do not request sensitive information via email. LogMeIn will never email you for any of the following sensitive information:

  • Verify your account information – except to verify your email address after registration.
  • Ask for your password.
  • Confirm personal information such as age, social security number, or home address.
  • To provide information of a financial nature.
  • Download a new product or SSL certificate from a provided link.

If you receive a suspicious email purporting to be from a LogMeIn address, we recommend the following actions:

  • Do not reply
  • Do not open any attachments
  • Do not click on any links
  • Contact LogMeIn’s technical support team

Tips on how to identify phishing scams

  • Threats and Calls to Action – Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Most phishing campaigns include a call to action. If the content places any kind of urgency as far as “you must click into your account now”, it is potentially a scam.
  • Too generic – Watch out for generic-looking requests for information. Fraudulent emails are often not personalized.
  • Bad grammar – Scammers are not known for Grade A grammar and spelling.  This is a common trait among many fraudulent email scams. Some of these messages have been poorly translated from other languages, or use letters from the alphabet to substitute certain symbols (which is a common tactic meant to evade spam filters).
  • Links in email – If you see a link in a suspicious email message, don’t click on it. Hover your mouse over the link (without actually clicking on the link) to reveal whether the real address matches the URL that was typed in the message. In the example below, the link reveals the real web address that the user will be routed to, as shown in the red box. Notice that the URL string in the text looks nothing like the web address to which the user will be directed.

links in email

  • Email body as an image – It is a common tactic of many spammers to make the whole message body an image so as to track the user and evade spam filters.
  • IP reputation – You can look up the sender IP’s reputation through the Return Path’s Sender Score (www.senderscore.org) website. The lower the score, the more likely the email is a phishing attempt.

Tips on what to do in your LogMeIn account if you think you’ve been phished

  • Clean your computer system of possible malware (including key loggers) – Immediately clean your system to remove any malware and key loggers that may have been installed.
  • Change passwords – Once your device is clean, change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Enable Two-Step Verification – With two-step verification, after entering your LogMeIn ID and password, you will also be required to enter a one-time code that you get from either a mobile authenticator app or via email. The following links provide additional information on this feature:
  •    http://help.logmein.com/SelfServiceKnowledgeRenderer?type=FAQ&id=kA030000000DGF0CAO
  •    http://help.logmein.com/SelfServiceKnowledgeRenderer?type=FAQ&id=kA0a0000000shEiCAI
  • Do not fill embedded forms with sensitive information – Never submit sensitive, personal or confidential information via forms embedded within email messages. Senders are often able to track all information entered.
  • Be careful with URLs – Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but be aware that the URL may use a variation in spelling or a different domain.
  • Protect your computer – Make sure you maintain effective anti-virus, anti-spyware and Internet Security software to help combat phishing.
  • Think twice before opening an attachment – Be careful about opening or saving any document or attachment that come with spam mails.
  • Don’t disclose personal information – Never ever send any information about your account in an email. LogMeIn’s technical support team is available by phone at 1-866-478-1805 should you require assistance.
  • Make sure your receiving mail server does a Sender Policy Framework (SPF) check – SPF allows recipients to verify sender identity (at the organizational level) by allowing domain owners to publish, via DNS, the IP addresses that are authorized to send emails from the specified domains. Ask your mail server administrator to configure SPF validation – this is usually done in the spam filter.
  • Resources:
  •    http://www.openspf.org/FAQ/Testing_and_validating
  •    https://support.microsoft.com/kb/2640313

Ways to report a suspected phishing scam

  • The Anti-Phishing Working Group is an organization tasked to help to fight phishing scams. You can report phishing at http://www.antiphishing.org/report-phishing/
  • Call the LogMeIn support line FIRST, and note that they might ask you to forward the email to a specific address.