Tuesday, January 19, 2016

LastPass Phishing Attack



LastPass Phishing Attack is a Phishing attack which became widely known in early 2016 and affected many users of LastPass Password Manager. Sensitive passwords of lots of users were compromised and it gave a wake up call to all the security experts.


In this LastPass Phishing Attack, an attacker typically displays a notification in the victim's computer saying the victim's session in LastPass has been expired and he needs to re-login. On clicking on the notification, a login screen appears which is same as LastPass' login screen, but actually is that of the attacker's website.

If the victim ends up giving his actual password in the login screen, it directly goes to the attacker. Using the password, the attacker can now login to the victim's account and do malicious activities impersonating the victim.


LastPass Phishing attack was first notified by Sean Cassidy, who is a CTO of Praesido Inc. In his blog, Cassidy termed it as LostPass Attack.




How is the LastPass Phishing Attack perpetrated ?


In LastPass Phishing Attack, the attacker exploits XSS or Cross Site Scripting vulnerability of LastPass website to perpetrate the attack.







The attacker first uses social engineering to trick the victim to click on a malicious link. It may be a link sent through attachment of an email, or any link indicating some interesting pictures or videos.

The link actually contains a script stored in the attacker's website. On clicking on the link, the script exploits logout CSRF of the LastPass website and logs out the victim from the LastPass website.

Then it displays a malicious notification in the browser viewport saying the victim's session has expired and the victim needs to re-login.

On clicking on the notification a login screen appears which looks similar to that of LastPass website. Cassidy says in his blog that this malicious login screen looks completely similar to the login screen of the LastPass website and there is no way the victim can realize it is actually a nefarious login screen that belongs to the attacker's website.


Now, the victim is tricked to provide his actual login and password in the fraudulent login screen.

At this point, the attacker's server will collect the credentials and verify it using LastPass' APIs. If the credentials do not match, the victim is redirected to login screen again, saying “Invalid Password.”


Once the attacker has correct credentials, i.e. the username, password and two-factor token applicable for two-factor authentication, he can login to LastPass website using the same credentials and impersonate the victim.

At this point, the attacker can change the option for two-factor authentication, password and do other nefarious activities.




Mitigation for LastPass Phishing Attack


We can take at least a couple of steps to protect us from the attack.
  • Educating oneself of this attack is an effective way to protect oneself.
  • Ignore the notifications of expired session of LastPass, if you get any.
  • Disable mobile-login to safeguard you better.
  • Log all login failures and check them.
  • Inform others of this potential attack.



So, be informed about all recent threats, so that you can protect yourself better and stay safe, stay secured.

No comments:

Post a Comment