New phishing campaign impersonates LogMeIn to steal user credentials

Phishing campaigns try to trick people by spoofing well-known companies, brands, and products. Such campaigns often strive to reference items in the news to catch the attention of those concerned about current events. As more people work from home due to the coronavirus, a new phishing campaign is impersonating the remote access tool LogMeIn to obtain the account credentials of unsuspecting victims. In a blog post published Tuesday, security provider Abnormal Security explains how this campaign works.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)

Spotting this new phishing attack for first time in May, Abnormal Security noted that the recent impersonations of LogMeIn and other remote collaboration tools such as Zoom are likely due to the shift in remote work. In this particular attack, the phishing email claims to be from LogMeIn with a notice informing the recipient of a fix to a zero day vulnerability found in LogMeIn Central and LogMeIn Pro. As such, this campaign is also taking advantage of the security concerns raised about these remote access platforms.

To apply this alleged security update, the user is told to click on a link in the email. A stern warning asserts that if the update is not applied, then the user’s account will have to be suspended for security reasons. Clicking on the link brings the recipient to a fake login page that appears similar to the actual LogMeIn page. The page also contains branding for password manager LastPass, which is the parent company for LogMeIn.

Of course, any credentials entered at the phony login page are captured by the criminals behind this attack. And since LogMeIn uses a single sign-on with LastPass, the attackers may be trying to gain access to the user’s password manager, potentially opening the door to all of the person’s stored passwords.

How can you best avoid these types of scams? Ken Liao, vice president of Cybersecurity Strategy at Abnormal, offers a concise recommendation.

“Many of the recent attacks have masqueraded as updates–even more specifically–security updates,” Liao said. “As always, users should default to updating applications via the application itself and not via links in emails to prevent not only credential loss but the potential introduction of malware onto their machines.”