Connect with us

Cybersecurity

Phishing Attack Strikes LastPass; Here’s How you Avoid it

Published

on

Users of LastPass are vulnerable to a phishing attack that requires preventive measures. Sean Cassidy, CTO at Praesidio, a cloud cyber security startup, detected that attackers can steal a user’s password, email and two-factor authentication code, which make all the user’s documents and passwords vulnerable. He described the vulnerability and suggested protection measures on his website. He also discussed LastPass at ShmooCon 2016, a hacker convention.

The attack, which Cassidy references as LostPass, displays messages in the browser that an attacker can fake. The user cannot distinguish between the fake LostPass message and the real message since the fake one looks the same as the real one. The notification and login screen are the same, pixel-for-pixel.

The attack method Cassidy describes works in Google Chrome and to a degree in Firefox. In Google Chrome, fake messages look the same as the LastPass extension messages. Such is not the case with Firefox.

Cassidy related an incident a few months ago when LastPass showed a message on his browser saying a session had expired, and he needed to log in again. He had not used LastPass for a few hours and had done nothing to cause him to log out. When he clicked the notification, it displayed a message in the browser viewport that he realized an attacker could have drawn. Any malicious website could have drawn the notification.

Cassidy 1

As LastPass trained users to expect notices in the browser viewport, users would not have a reason for concern. The login screen and two-factor prompt also get drawn in the viewport.

Cassidy 2Cassidy 3

Because LastPass has an API that can be remotely accessed, Cassidy envisioned an attack.

How It Works

The LostPass steps are as follows.

The attacker gets the victim to go to a malicious website that appears to be benign or a real website that is vulnerable to XSS (cross-site scripting). Once at the website, the attacker deploys lostpass.js. The user will not be alarmed since this is not intended to be a secure website. It could even be an image or a funny video.

If the user has installed LastPass, the attacker shows the login expiration and logs the user out of LastPass. This action makes it look like the user has logged out.

Cassidy 4

When the user clicks on the false banner, the attacker directs them to an attacker-controlled login page that appears identical the LastPass login page.

Cassidy 5

The “chome-extenson.pw” domain looks like the Chrome protocol for “chrome-extension.” There is an open issue in Chromium that addresses this.

Next, the victim enters their password and sends credentials to the attacker’s server, which checks to see if the credentials are correct by calling LastPass’s API. The API advises if two-factor authentication is needed.

Should the password and username be incorrect, the attacker redirects the user back to the malicious website. This time, the LostPass notification bar will say “Invalid Password.”

Should the user have a two-factor notification, the attacker redirects them to a two-factor prompt.

Cassidy 6

When the attacker gets the correct username and password (including the two-factor token), the attacker downloads the victim’s information from the LastPass API. The attacker can install a backdoor in the user’s account using the emergency contact feature, disabling two-factor authentication and adding the attacker’s server as a trusted device.

The steps described parallel the path LastPass follows when a user logs out remotely.

Why It’s So Effective

Training is not effective in fighting this as there is not much difference between the real and fake versions in what the user sees.

The LastPass login workflow is buggy and complex. It sometimes displays in-viewport login pages, and it sometimes displays them as popup windows.

LastPass is easy to detect, and it was even easier to locate the exact CSS and HTML LastPass uses to display login pages and notifications.

Best Browsers And OSs

The attack works best on the Chrome browser since it uses an HTML login page. Firefox pops up a window for login, so it appears as whatever operating system the user is on.

Cassidy has experimental support for Firefox on Windows 8 and OS X in LostPass, but it is not enabled by default.

He developed it specifically to work against LastPass 4.0 and did not include any version detection information.

To safeguard against attacks, Cassidy recommends the following steps for individuals and companies, not in any particular order.

• Ignore browser window notifications.

• Enable IP restrictions, which are only available to paid plans.

• Disable mobile login, keeping in mind other attacks can use non-mobile API.

• Log all failures and logins.

• Advise employees of the potential attack.

Two-factor authentication does not help; instead, it makes the attack easier.

LastPass, by default, sends an email confirmation when a new IP address tries to log in. While this should completely halt the attack, it does not. LastPass documentation indicates the confirmation email only gets sent if the user doesn’t have two-factor authentication enabled.

Because LostPass phishes for a two-factor authentication code, it bypasses the email confirmation step.

The LostPass can be made more effective in instances where it gets blocked by a confirmation email (i.e., “Please confirm your login email to continue”), but the attack already has sufficient strength.

Have You Been Attacked?

To determine if you’ve been attacked, a user can view their “LastPass Account History” to view all login attempts and the corresponding IP addresses.

There are alternatives to LastPass, but Cassidy has not researched them to guarantee their safety.

He recommends the following user considerations:

• Browser extensions have a greater risk than native applications.

• An API makes it easier for attackers to steal a lot of data.

• Store only frequently-used and low-risk data in a password manager.

An attack called “Even the LastPast Will be Stole, Deal with It” published by Garcia and Vigo presented a client-side attack relying on bad design choices LastPass made which make it susceptible to compromised machines.

Cassidy’s work addresses LastPass from a different perspective. One does not require access to a LastPass user’s machine; the attacker tricks the user into providing their credentials.

Also read: LastPass gets a major update with a new interface and features

Why He Developed It

In discussing why he developed the attack, Cassidy said the security industry is naïve about phishing, which is the most common attack vector.

Better user training will not solve the problem. What’s needed is software designed to be phishing resistant. Security evaluations should include the ease of phishing software.

Another important observation is that this attack requires no sophisticated knowledge. An attacker can get the HTML with a simple right click. JavaScript will enable the attacker to glue the pieces together. Once the details of the attack are published, criminals will be able to create their own version in less than one day.

Cassidy said he is publishing this tool so companies can make informed decisions about the attack and how to best respond.

Because the vulnerability is hard to fix and easy to exploit, Cassidy believes it is appropriate to release a tool.

He informed LastPass in November, and they acknowledged the problem in December.
LastPass first understood the problem to mainly be a result of the CSRF (cross-site request forgery) logout. They suggested it would not work due to the email confirmation step. A spokesperson said LastPass can confirm the bug is a phishing attack, but not a vulnerability, a position Cassidy disputes.

One fix LastPass implemented was to warn users when they type in their master password into some website. The problem with this is they display a warning message in the browser viewport like all their other messages. If the website is attacker-controlled, detecting when this notification is added is trivial.

Cassidy suppresses the notification in LostPass and sends a request to an attacker server to log the master password.

He does not blame LastPass for the fact that the industry does not respond well to phishing attacks.

A Warning To The Industry

Cassidy said it is important to inform users about security concerns in the products they use. Security researchers too often kowtow to corporations in not informing users about vulnerabilities for which they should be aware.

Operating systems and browsers can address this class of bugs. To spoof the “chrome extension” protocol, Cassidy purchased the domain “chrome-extension.pw,” which appears similar. Connecting to this domain over HTTP makes it appear similar to the built-in protocol. An open issue in Chromium addresses this. Below is an image of LastPass and LostPass, side-by-side, for Firefox on Windows 8.

Cassidy 7

Firefox is harder to spoof. Cassidy had to manually draw each OS’s native widget using CSS and HTML. These are not perfect, but close enough.

Because the browser viewport can illustrate anything with pixels, consideration must be given to how to authenticate native windows visually.

The code is available on GitHub.

 

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

3.9 stars on average, based on 8 rated postsLester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.




Feedback or Requests?

1 Comment

1 Comment

  1. ackthbbft

    January 18, 2016 at 9:00 pm

    “He recommends the following user considerations:
    • Browser extensions have a greater risk than native applications.”
    I don’t see that LastPass offers a native application (at least for Windows; their Android app might count as one). Their download page only seems to have browser extension installers. That is certainly a big concern.
    It seems the easiest way for users to avoid this is to never click on the “banner” that LastPass sometimes displays, as it could actually be the lostpass.js phishing attack. Users should be advised to only click on the extension icon itself whenever seeing such a message, or otherwise go directly to the LastPass site. (This is what I do whenever receiving any kind of message from my banks; I always go directly to the site myself instead of using e-mail links.)
    LastPass should probably even put out an update that explicitly removes their own “banner” warnings, with a message to all users explaining the change.
    A master password change might be in order, and be sure to check your IP History of logins (as the article recommends) for the past month or so (all of mine in the last month have been from work, home, or smartphone, so hopefully I’m still safe).

You must be logged in to post a comment Login

Leave a Reply

Altcoins

Monero Price Analysis: Stronger Malware to Mine Monero; XMR/USD Has Room for Another Potential Squeeze South

Published

on

  • Researchers: a stronger malware has been uncovered, which can mine Monero.
  • XMR/USD price action remains stuck in a narrowing range, subject to an imminent breakout.

The XMR/USD price has seen some upside on Saturday, holding gains of around 3% towards the latter stages of the day. Despite the press higher from the bulls, a move which has been observed across the cryptocurrency market, vulnerabilities remain. Price action has been ranging for the past nine sessions. Once again, this isn’t specifically just XMR, as this type of behavior is witnessed across the board. The narrowing in play came after the steep drop that rippled across the market on 10th January.

Price action was initially well-supported to the upside by an ascending trend line, which was in play from 15th December. This at the time was a very promising recovery, as XMR/USD had gained as much as 55%. Unfortunately, however, the bulls were unable to break down supply heading into the $60 region and were eventually dealt a big hammer blow. On 10th January, the market bears forced a heavy breach to the downside, smashing through this support. The price had dropped a big double-digits, some 20%.

Stronger Malware Mining Monero (XMR)

There is a dangerous form of malware that can bypass being detected and mine Monero (XMR) on cloud-based servers. A recent notice was put out by Palo Alto Networks’ Unit 42, an intelligence team that specializes in cyber threats, regarding a Linux mining malware. This was detailed to have been developed by Rocke group, which has the ability uninstall cloud security products. It can do this to the likes of Alibaba Cloud and Tencent Cloud, to then illegally mine Monero on compromised machines.

The two researchers from Palo Alto Networks, Xingyu Jin and Claud Xiao, detailed the findings of their studies. Once the malware is downloaded, it takes administrative control to initially uninstall all cloud security products. Shortly after, it will then then transmit code that will mine the Monero (XMR). Further within their press release, they said, “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products.”

Technical Review – XMR/USD

XMR/USD daily chart.

Given the current range block formation, eyes should be on the key near-term technical areas. Firstly, to the downside, $43, which is the lower part of the range. A breach here will likely see a retest of the December low, $38. To the upside, resistance be observed at around the mid $46 level. Should a breakout be observed here, then a potential retest of the broken trend line will be watched.

Disclaimer: The author owns Bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 110 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Altcoins

Dash 51% Attack Fears Cooled as Core Dev Group Suggest Benevolent Miner

Published

on

Dash investors may have been starting to question the security of their holdings in light of Ethereum Classic’s (ETC) recent attack, and the subsequent fallout which revealed Dash’s own vulnerability to 51% attacks.

Three addresses, all controlled by the same user, were in control of more than 51% of the Dash mining hashrate, as reported on CCN a few days ago. On top of that, over 74% of the entire Dash hashrate was accessible via Nicehash – a cloud-mining marketplace – where it could be purchased for as little as $3,104 per hour.

Hashing Power Removed from Nicehash

As of Saturday’s statement by the Dash Core Group, the same individual still controls the majority of the Dash hashrate. However, the group pointed out that since the news concerning a 51% attack broke out earlier this week, the individual has begun to remove their hashing power from Nicehash, and spread it around separate mining pools.

The team stated clearly that they do not believe the miner in question to be malicious:

“…we don’t believe the entity in control of the wallets in question plans or wants to attack because their mining activities began at least 4 months ago and their blocks have been published for all to see.”

The group believe the sudden removal of hashing power from Nicehash – as shown above – is a signal of benevolent intentions on the part of the miner. As a major holder of Dash, they reason that the miner would want to secure the network as best they could.

“This removes the risk of a malicious party renting the hashing power via NiceHash and simultaneously signals that the entity in control of the hashing power does not have negative intent. We believe the miner behind the hashing power was made aware by the same info we discovered online and quickly moved to more protected pools as they appear to be a major stakeholder of Dash.”

Future Proof?

The announcement ends with a look to the future in the form of Dash’s upcoming ChainLocks technology. To be implemented in an as yet unspecified future update, ChainLocks will unite the mining layer with that of the Dash’s masternodes.

This means that a 51% attacker would also have to secure a majority of the blockchain’s masternodes to execute their plans. More can be read on ChainLocks here.

Dash Coin Price

Almost mid-way through the first month of 2019, Dash has recovered 26% of its value since the market lows of mid-December. That’s when one unit of DASH was valued at $58.27 – a 96% decline since December 2017.

Dash’s 26% recovery in the past month still leaves the coin 95% off its all-time high. As of Saturday the coin had settled down along with the broader market, after a sharp 17.5% decline 48 hours before.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 123 rated postsGreg Thomson is a full-time crypto writer and digital nomad. He eats ICOs for breakfast and bleeds altcoins. Wherever he lays his public key is his home.




Feedback or Requests?

Continue Reading

Cryptocurrencies

Where to Store Your Crypto?

Published

on

By

Storing crypto on virtual exchanges has some inherent security risks that have been exploited by hackers and cyber criminals. This article will touch upon this important topic and provide you with alternative methods in which to store your digital assets.

Cold and Hot Wallets

The main thing in cryptocurrency storage is the private key and who has access to it.

Cold storage wallets operate offline and without a constant internet connection. If your key is not on the Internet, then it is much more difficult to steal.

A hot storage wallet is a wallet with constant connection to the Internet.

So, all storage options can be distinguished by the following criteria:

  1. private keys are kept by you or by third parties.
  2. without internet connection or with internet connection

A cold storage wallet with a private key is considered the most reliable storage option. Such a wallet is suitable for long-term storage of large amounts. However, it is not convenient if, for example, you do trading and need access to your wallet for transferring small amounts.

Hardware Wallets

hardware wallets like Ledger, Trezor, Pi Wallet, Keepkey, Opendime, Bitlox, etc. have a flash drive within the software without an internet connection. You can connect to the Internet only when sending a transaction. You need to confirm the transaction physically, from the device itself. This is a “cold” method of storage without an internet connection (connection only at the time of the transaction). The user keeps private keys.

Paper Wallets

This method of storage will be also convenient for you if you want to conserve your funds for an extended period. In offline mode, you can generate a public and private key. For example, if you are using the service walletgenerator.net it will transfer those keys in the form of a QR-code, which can be printed and stored by you.

Physical Bitcoin Wallet

A physical bitcoin wallet has almost the same properties as a paper wallet. Encrypted bitcoins cannot be spent until the seal protecting the secret key has been broken. However, the security of the seal is not considered very reliable.

Desktop Offline Wallets.

There are also two main types of offline wallets:

  1. Wallets, where the user is the only one with the access to private keys. You can install such wallets on a personal computer as a separate program. As a rule, these are the wallets from the developers of that cryptocurrency. For example, Bitcoin Core. Litecoin Core, Mist, etc. Such wallets are also called “heavy” wallets since during installation they take up quite a lot of space (for example, you will have to free up at least 200 GB for a Bitcoin wallet in 2018). When installing such wallets on laptops flash drives that are disconnected from the Internet can also be called “cold” wallets. In general, they are also considered safe.
  2. The so-called “light” offline wallets. These are desktop wallets that allow you to store cryptocurrency without downloading its full registry to a bunch of gigabytes. Some of them give you private keys and the ability to restore a lost wallet at any time using seed phrases. There is a drawback – they do not always contain the full version of the blockchain, and sometimes won’t show up-to-date transaction information. Examples of such a wallet are Electrum and Armory.

Light wallets can be multi-currency, with a built-in internal exchange for example Exodus. Its private keys can also be restored using seed-phrases. However, inside such wallets, not only you but also developers have access to your private keys.

It is also worth to mention an essential aspect of light wallets, which are open source code. If something happens to the wallet, then it will be only possible to restore the wallet using the seed phrase only if the function is restored.

As a conclusion on cold wallets, I can say that their main advantage is reliability and security, and the main drawback is that it is difficult to move cryptocurrencies quickly. Therefore, cold wallets are suitable for long-term storage. For everyday transactions, hot wallets are the best. The exceptions are some hardware wallets that are compatible with online cryptocurrency storage and exchange services.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.9 stars on average, based on 42 rated postsVladislav Semjonov has a legal and financial background. He has been involved in crypto space since early 2017 in both ICO advising positions in several ICO consultancy firms, and as an ICO analyst for VC. He began contributing for Hacked.com in April 2017.




Feedback or Requests?

Continue Reading

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending