Connect with us

Cybersecurity

Phishing Attack Strikes LastPass; Here’s How you Avoid it

Published

on

Users of LastPass are vulnerable to a phishing attack that requires preventive measures. Sean Cassidy, CTO at Praesidio, a cloud cyber security startup, detected that attackers can steal a user’s password, email and two-factor authentication code, which make all the user’s documents and passwords vulnerable. He described the vulnerability and suggested protection measures on his website. He also discussed LastPass at ShmooCon 2016, a hacker convention.

The attack, which Cassidy references as LostPass, displays messages in the browser that an attacker can fake. The user cannot distinguish between the fake LostPass message and the real message since the fake one looks the same as the real one. The notification and login screen are the same, pixel-for-pixel.

The attack method Cassidy describes works in Google Chrome and to a degree in Firefox. In Google Chrome, fake messages look the same as the LastPass extension messages. Such is not the case with Firefox.

Cassidy related an incident a few months ago when LastPass showed a message on his browser saying a session had expired, and he needed to log in again. He had not used LastPass for a few hours and had done nothing to cause him to log out. When he clicked the notification, it displayed a message in the browser viewport that he realized an attacker could have drawn. Any malicious website could have drawn the notification.

Cassidy 1

As LastPass trained users to expect notices in the browser viewport, users would not have a reason for concern. The login screen and two-factor prompt also get drawn in the viewport.

Cassidy 2Cassidy 3

Because LastPass has an API that can be remotely accessed, Cassidy envisioned an attack.

How It Works

The LostPass steps are as follows.

The attacker gets the victim to go to a malicious website that appears to be benign or a real website that is vulnerable to XSS (cross-site scripting). Once at the website, the attacker deploys lostpass.js. The user will not be alarmed since this is not intended to be a secure website. It could even be an image or a funny video.

If the user has installed LastPass, the attacker shows the login expiration and logs the user out of LastPass. This action makes it look like the user has logged out.

Cassidy 4

When the user clicks on the false banner, the attacker directs them to an attacker-controlled login page that appears identical the LastPass login page.

Cassidy 5

The “chome-extenson.pw” domain looks like the Chrome protocol for “chrome-extension.” There is an open issue in Chromium that addresses this.

Next, the victim enters their password and sends credentials to the attacker’s server, which checks to see if the credentials are correct by calling LastPass’s API. The API advises if two-factor authentication is needed.

Should the password and username be incorrect, the attacker redirects the user back to the malicious website. This time, the LostPass notification bar will say “Invalid Password.”

Should the user have a two-factor notification, the attacker redirects them to a two-factor prompt.

Cassidy 6

When the attacker gets the correct username and password (including the two-factor token), the attacker downloads the victim’s information from the LastPass API. The attacker can install a backdoor in the user’s account using the emergency contact feature, disabling two-factor authentication and adding the attacker’s server as a trusted device.

The steps described parallel the path LastPass follows when a user logs out remotely.

Why It’s So Effective

Training is not effective in fighting this as there is not much difference between the real and fake versions in what the user sees.

The LastPass login workflow is buggy and complex. It sometimes displays in-viewport login pages, and it sometimes displays them as popup windows.

LastPass is easy to detect, and it was even easier to locate the exact CSS and HTML LastPass uses to display login pages and notifications.

Best Browsers And OSs

The attack works best on the Chrome browser since it uses an HTML login page. Firefox pops up a window for login, so it appears as whatever operating system the user is on.

Cassidy has experimental support for Firefox on Windows 8 and OS X in LostPass, but it is not enabled by default.

He developed it specifically to work against LastPass 4.0 and did not include any version detection information.

To safeguard against attacks, Cassidy recommends the following steps for individuals and companies, not in any particular order.

• Ignore browser window notifications.

• Enable IP restrictions, which are only available to paid plans.

• Disable mobile login, keeping in mind other attacks can use non-mobile API.

• Log all failures and logins.

• Advise employees of the potential attack.

Two-factor authentication does not help; instead, it makes the attack easier.

LastPass, by default, sends an email confirmation when a new IP address tries to log in. While this should completely halt the attack, it does not. LastPass documentation indicates the confirmation email only gets sent if the user doesn’t have two-factor authentication enabled.

Because LostPass phishes for a two-factor authentication code, it bypasses the email confirmation step.

The LostPass can be made more effective in instances where it gets blocked by a confirmation email (i.e., “Please confirm your login email to continue”), but the attack already has sufficient strength.

Have You Been Attacked?

To determine if you’ve been attacked, a user can view their “LastPass Account History” to view all login attempts and the corresponding IP addresses.

There are alternatives to LastPass, but Cassidy has not researched them to guarantee their safety.

He recommends the following user considerations:

• Browser extensions have a greater risk than native applications.

• An API makes it easier for attackers to steal a lot of data.

• Store only frequently-used and low-risk data in a password manager.

An attack called “Even the LastPast Will be Stole, Deal with It” published by Garcia and Vigo presented a client-side attack relying on bad design choices LastPass made which make it susceptible to compromised machines.

Cassidy’s work addresses LastPass from a different perspective. One does not require access to a LastPass user’s machine; the attacker tricks the user into providing their credentials.

Also read: LastPass gets a major update with a new interface and features

Why He Developed It

In discussing why he developed the attack, Cassidy said the security industry is naïve about phishing, which is the most common attack vector.

Better user training will not solve the problem. What’s needed is software designed to be phishing resistant. Security evaluations should include the ease of phishing software.

Another important observation is that this attack requires no sophisticated knowledge. An attacker can get the HTML with a simple right click. JavaScript will enable the attacker to glue the pieces together. Once the details of the attack are published, criminals will be able to create their own version in less than one day.

Cassidy said he is publishing this tool so companies can make informed decisions about the attack and how to best respond.

Because the vulnerability is hard to fix and easy to exploit, Cassidy believes it is appropriate to release a tool.

He informed LastPass in November, and they acknowledged the problem in December.
LastPass first understood the problem to mainly be a result of the CSRF (cross-site request forgery) logout. They suggested it would not work due to the email confirmation step. A spokesperson said LastPass can confirm the bug is a phishing attack, but not a vulnerability, a position Cassidy disputes.

One fix LastPass implemented was to warn users when they type in their master password into some website. The problem with this is they display a warning message in the browser viewport like all their other messages. If the website is attacker-controlled, detecting when this notification is added is trivial.

Cassidy suppresses the notification in LostPass and sends a request to an attacker server to log the master password.

He does not blame LastPass for the fact that the industry does not respond well to phishing attacks.

A Warning To The Industry

Cassidy said it is important to inform users about security concerns in the products they use. Security researchers too often kowtow to corporations in not informing users about vulnerabilities for which they should be aware.

Operating systems and browsers can address this class of bugs. To spoof the “chrome extension” protocol, Cassidy purchased the domain “chrome-extension.pw,” which appears similar. Connecting to this domain over HTTP makes it appear similar to the built-in protocol. An open issue in Chromium addresses this. Below is an image of LastPass and LostPass, side-by-side, for Firefox on Windows 8.

Cassidy 7

Firefox is harder to spoof. Cassidy had to manually draw each OS’s native widget using CSS and HTML. These are not perfect, but close enough.

Because the browser viewport can illustrate anything with pixels, consideration must be given to how to authenticate native windows visually.

The code is available on GitHub.

 

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

3.9 stars on average, based on 8 rated postsLester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.




Feedback or Requests?

1 Comment

1 Comment

  1. ackthbbft

    January 18, 2016 at 9:00 pm

    “He recommends the following user considerations:
    • Browser extensions have a greater risk than native applications.”
    I don’t see that LastPass offers a native application (at least for Windows; their Android app might count as one). Their download page only seems to have browser extension installers. That is certainly a big concern.
    It seems the easiest way for users to avoid this is to never click on the “banner” that LastPass sometimes displays, as it could actually be the lostpass.js phishing attack. Users should be advised to only click on the extension icon itself whenever seeing such a message, or otherwise go directly to the LastPass site. (This is what I do whenever receiving any kind of message from my banks; I always go directly to the site myself instead of using e-mail links.)
    LastPass should probably even put out an update that explicitly removes their own “banner” warnings, with a message to all users explaining the change.
    A master password change might be in order, and be sure to check your IP History of logins (as the article recommends) for the past month or so (all of mine in the last month have been from work, home, or smartphone, so hopefully I’m still safe).

You must be logged in to post a comment Login

Leave a Reply

Cryptocurrencies

Crypto Pump and Dumps Have Generated $825 Million in Activity This Year: WSJ

Published

on

Price manipulation involving ‘pump and dump’ schemes are alive and well in the cryptocurrency market. According to new research by The Wall Street Journal, organized cryptocurrency groups have generated at least $825 million in trading activity over the past six months.

Pump Groups Thrive in Nascent Crypto Market

In a comprehensive review of trading data and online communications among crypto traders between January and July, WSJ identified 175 pump and dump schemes spanning 121 different coins. Among the 50 pumps with the biggest increase in price, nearly half had lost their value.

Among the dozen pump groups analyzed by WSJ, Big Pump Signal and its 74,000 Telegram followers have had the biggest impact on markets. The group engineered 26 pumps resulting in $222 million in trades.

Pump schemes have exploded over the past 18 months as initial coin offerings (ICOs) garnered mainstream attention. More than $12 billion has flowed into coin offerings since January 2017, according to ICOData.io, inviting a new form of speculation in markets that remain largely unregulated to this day.

Analysts say most pump and dumps following a similar pattern: the group announces a time and exchange for a pump; at the set time, traders execute the signal, creating a short-term buying frenzy; after a set time (usually a few minutes), the coin is sold for instant profit.

One of the biggest pumps in recent memory came in early July after Big Pump Signal commanded its followers to buy cloakcoin (CLOAK), an obscure cryptocurrency that purports to be “fully private, secure and untraceable.” After the call was made, CLOAK spiked 50% on Binance before plummeting more than 20% after two minutes.

Stopping the Fraud

Although the pump and dump is one of the oldest forms of market fraud, regulators have struggled to stem the practice. As WSJ reports, similar practices were banned in the 1930s, but that hasn’t stopped pump and dumps from proliferating at different points in history. Jordan Belfort, whose life was chronicled in the movie “Wolf of Wall Street,” pleaded guilty in 1999 for running pump and dumps costing investors more than $200 million.

The U.S. Securities and Exchange Commission (SEC) regularly deals with pump and dumps in the stock market, but has yet to bring a case involving cryptocurrencies. In the meantime, the U.S. Commodity Futures Trading Commission (CFTC) has offered a reward for anyone who warns the agency about potential pump and dump schemes involving cryptocurrencies.

“If you have original information that leads to a successful enforcement action that leads to monetary sanctions of $1 million or more, you could be eligible for a monetary award of between 10 percent and 30 percent,” a CFTC memo, released in February, read. That translates into a potential reward of at least $100,000.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 544 rated postsSam Bourgi is Chief Editor to Hacked.com, where he specializes in cryptocurrency, economics and the broader financial markets. Sam has nearly eight years of progressive experience as an analyst, writer and financial market commentator where he has contributed to the world's foremost newscasts.




Feedback or Requests?

Continue Reading

Breaches

MyEtherWallet Compromised in Security Breach; Users Urged to Move Tokens

Published

on

Popular cryptocurrency service MyEtherWallet (MEW) is urging users to move their tokens after the platform succumbed to its second cyber attack of the year. As the company reported earlier, hackers targeted MEW’s popular VPN service in an attempt to steal cryptocurrency.

Hola VPN Users Compromised

Rather than target MEW directly, hackers took control of the Hola VPN service, which claims nearly 50 million users. For the next five hours, MEW users who had the Hola chrome extension installed and running on their computer were exposed.

MEW took to Twitter to urge users to move their funds immediately.

“Urgent! If you have Hola chrome extension installed and used MEW within the last 24 hrs, please transfer your funds immediately to a brand new account!” the company said. It added the following message shortly thereafter:”We received a report that suggest Hola chrome extension was hacked for approximately 5 hrs and the attack was logging your activity on MEW.”

At the time of writing, MEW’s Twitter feed had no further updates.

MyEtherWallet is used to access cryptocurrency wallets, where users can send and receive tokens from other people.

The company reportedly told TechCrunch that the attack originated from a Russian-based IP address.

“The safety and security of MEW users is our priority. We’d like to remind our users that we do not hold their personal data, including passwords so they can be assured that the hackers would not get their hands on that information if they have not interacted with the Hola chrome extension in the past day,” MEW said, as quoted by TechCrunch.

It’s not yet clear how many users were compromised in the attack or how much, if any, was stolen from their wallets. MEW suffered a similar incident in February after a DNS attack wiped out $365,000 worth of cryptocurrency from users’ accounts.

Cyber Attacks on the Rise

The attack on MEW came less than 24 hours after Hacked reported another major cyber breach involving Bancor, a decentralized cryptocurrency exchange. The security breach compromised roughly $23.5 million worth of digital currency, including Ethereum, NPXS and BNT, Bancor’s native token.

Last month, a pair of South Korean exchanges fell prey to cyber criminals, prompting local regulators to expedite their approval of new cryptocurrency laws.

It has been estimated that a total of $761 million has been stolen from cryptocurrency exchanges in the first half of the year, up from $266 million in all of 2017. That figure is expected to rise to $1.5 billion this year.

CipherTrace, the company behind the estimates, told Reuters last week that stolen cryptocurrencies are mainly used to launder money and aid criminals in concealing their identities.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 544 rated postsSam Bourgi is Chief Editor to Hacked.com, where he specializes in cryptocurrency, economics and the broader financial markets. Sam has nearly eight years of progressive experience as an analyst, writer and financial market commentator where he has contributed to the world's foremost newscasts.




Feedback or Requests?

Continue Reading

Breaches

Mt. Gox vs. Bithumb: That Was Then, This Is Now

Published

on

Bithumb now shares something in common with the Tokyo-based shuttered bitcoin exchange Mt. Gox — both suffered a hack on about the same date, June 19. It’s a club that no exchange wants to belong to and that Bithumb happened on the seven-year anniversary of Mt. Gox’s maiden attack has to be more than an eerie coincidence.

It’s a stark reminder of the risks involved with keeping funds on an unregulated exchange, vulnerabilities that cost South Korea’s Bithumb some $36.6 million in digital cash and Mt. Gox $450 million in hacked bitcoin and its future. The Mt. Gox theft unfolded over a series of hacks that culminated in 2014. Though it’s still early on in the Bithumb hack, it appears the South Korean exchange will recover from the security breach. So what do we know now that we didn’t on June 19, 2011?

Then vs. Now

Former Coinbase official Nick Tomaino, who is also the founder of crypto fund 1 confirmation, reflected on the Mt. Gox hack in what proved to be a prescient tweet given the Bithumb attack that was about to surface.

The thing to note about Mt. Gox is that the Japan-based exchange in 2011 controlled most of the BTC trading volume, approximately three-quarters of it by average estimates — more if you ask Tomaino. Since bitcoin fever caught on in 2017, there are more than 500 cryptocurrency exchanges on which trading volume is shared. Binance boasts the highest trading volume and captures nearly 15% of bitcoin trading. It’s much less than Mt. Gox days but still a little high.

The other thing to note is that the Mt. Gox hack or actually hacks, as there were multiple attacks on the exchange over several years, was a mysterious event that was shrouded in controversy and mistrust of a key executive. Bithumb, on the other hand, confronted the hack seemingly right away on Twitter and has not let any grass grow under its feet in the interim, which is a key difference in the way Mt. Gox was handled.

Also, the bitcoin price didn’t tank in response to the Bithumb hack. It traded lower for a while, but less than 24 hours it was back in the green, which is a reflection of the fact that bitcoin trading is no longer dependent on a single exchange.

Charlie Lee, creator of Litecoin (LTC), the No. 6 cryptocurrency by market cap, was among the first to respond to the Bithumb hack. He tweeted:

Indeed, Bithumb does expect to be able to cover the losses via their reserves.

Crypto Security

It’s still early on in Bithumb’s security breach, and more details are sure to emerge in time. In the meantime, it’s a good idea to use the hack as an opportunity to examine the security of your cryptocurrency investment portfolio. There are several hardware wallet options out there for you to choose from — whether it’s Trezor or Ledger Nano S, to name a couple — and as Charlie Lee advised, “only keep on exchange coins that you are actively trading.”

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 35 rated postsGerelyn has been covering ICOs and the cryptocurrency market since mid-2017. She's also reported on fintech more broadly in addition to asset management, having previously specialized in institutional investing. She owns some BTC and ETH.




Feedback or Requests?

Continue Reading

5 of 15 Seats Available

Learn more here.

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending