If not redirected, please click here https://www.thesecuritybuddy.com/malware-prevention/lastpass-phishing-attack/
LastPass Phishing Attack is a Phishing
attack which became widely known in early 2016 and affected many users of LastPass Password Manager. Sensitive passwords of lots of users were compromised and it gave a wake up call to all the security experts.
In this LastPass Phishing Attack, an attacker typically displays a
notification in the victim's computer saying the victim's session in
LastPass has been expired and he needs to re-login. On clicking on the
notification, a login screen appears which is same as LastPass' login
screen, but actually is that of the attacker's website.
If the victim ends up giving his actual
password in the login screen, it directly goes to the attacker. Using
the password, the attacker can now login to the victim's account and
do malicious activities impersonating the victim.
LastPass Phishing attack was first
notified by Sean Cassidy, who is a CTO of Praesido Inc. In his blog,
Cassidy termed it as LostPass Attack.
How is the LastPass Phishing
Attack perpetrated ?
In LastPass Phishing Attack, the
attacker exploits XSS or Cross
Site Scripting vulnerability of LastPass website to perpetrate the attack.
The attacker first uses social
engineering to trick the victim to click on a malicious link. It may
be a link sent through attachment of an email, or any link indicating
some interesting pictures or videos.
The link actually contains a script
stored in the attacker's website. On clicking on the link, the script
exploits logout CSRF
of the LastPass website and logs out the victim from the LastPass
website.
Then it displays a malicious notification in the browser viewport saying the victim's session has expired and the victim needs to re-login.
Then it displays a malicious notification in the browser viewport saying the victim's session has expired and the victim needs to re-login.
On clicking on the notification a login
screen appears which looks similar to that of LastPass website.
Cassidy says in his blog that this malicious login screen looks
completely similar to the login screen of the LastPass website and
there is no way the victim can realize it is actually a nefarious
login screen that belongs to the attacker's website.
Now, the victim is tricked to provide
his actual login and password in the fraudulent login screen.
At this point, the attacker's server
will collect the credentials and verify it using LastPass' APIs. If
the credentials do not match, the victim is redirected to login
screen again, saying “Invalid Password.”
Once the attacker has correct
credentials, i.e. the username, password and two-factor token
applicable for two-factor authentication, he can login to LastPass
website using the same credentials and impersonate the victim.
At this point, the attacker can change
the option for two-factor authentication, password and do other
nefarious activities.
Mitigation for LastPass
Phishing Attack
We can take at least a couple of steps
to protect us from the attack.
- Educating oneself of this attack is an effective way to protect oneself.
- Ignore the notifications of expired session of LastPass, if you get any.
- Disable mobile-login to safeguard you better.
- Log all login failures and check them.
- Inform others of this potential attack.
So, be informed about all recent
threats, so that you can protect yourself better and stay safe, stay
secured.
No comments:
Post a Comment