December 14, 2012

Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.

Some LogMeIn users began complaining of receiving malware spam to LogMeIn-specific email addresses on Dec. 3, 2012. The messages matched spam campaigns that spoofed the U.S. Internal Revenue Service (IRS) and other organizations in a bid to trick recipients into opening a malicious attachment.  Multiple LogMeIn users reported receiving similar spam to addresses they had created specifically for their LogMeIn accounts and that had not been used for other purposes. The first LogMeIn user to report the suspicious activity said he received a malicious email made to look like it came from DocuSign but was sent to an address that was created exclusively for use with LogMeIn (hat tip to @PogoWasRight).

“I have an email account that allows me to put anything in front of the @ (at), which helps keep track of what/who I sign up to,” wrote LogMeIn user “Droolio” in a thread on the company’s support forum. “This way, not only do I know who leaks my email addresses (as did happen with Dropbox a few months back), spammers can be blocked after they get ahold of it. My PC is malware-free and I hardly use LogMeIn (although it is installed albeit disabled) and the last time it was used was months ago.” [link added].

LogMeIn user Justin McMurtry, a realtor in Houston, Texas, said he received a Trojan-spam message to his LogMeIn-specific email address at the same time he received the same message at an address he used exclusively for DocuSign.

“It is especially worrisome to consider the possibility that LogMeIn and/or Docusign account passwords could have been leaked as well,” McMurtry wrote on LogMeIn’s support forum. “Attackers able to actually log in using someone’s LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.”

LogMeIn spokesman Craig VerColen, said that while the investigation remains open, the company has so far found no signs of any compromises to its users’ information.

“It is worth noting, as part of the investigation, we did find some commonality with the naming conventions of the emails associated with the reports,” VerColen wrote in an email to KrebsOnSecurity. “Many (nearly 30%) of the reports – and this includes all reports, not just the handful of people reporting the unique email claim – included variations of LogMeIn in the name, e.g. logmein@acme.com, LMI@acme.com, logmeinrescue@acme.com.  The majority of the others used either common prefixes, e.g. info@acme.com, sales@acme.com, tech@acme.com, or common first names, e.g. joe@acme.com.  While this is not the case with all of the email addresses, the commonality would seem to suggest a pattern.”

For its part, DocuSign released a statement saying that it is investigating the incident and is working with law enforcement agencies to take further action. But it chalked the incident up to aggressive phishing attacks, noting that “antivirus vendors report malicious code incidents have been increasing by as much as 3600% in recent weeks.”

“The investigation is still underway, but we have not seen any kind of indication of a data breach,” said Dustin Grosse, DocuSign’s chief marketing officer.

In July, users of file syncing and sharing service DropBox.com began complaining of receiving spam emails to addresses they’d registered for exclusive use with the service. DropBox initially said its investigation turned up no internal breach, but two weeks later the company disclosed that an employee misstep caused the inadvertent leak.


31 thoughts on “LogMeIn, DocuSign Investigate Breach Claims

  1. Mark Pizzolato

    The folks at LogMeIn seem to have their heads in the sand about this issue.

    They’re claiming that someone is guessing logmein account name and then sending eMail. They don’t admit that all of us who are using completely unique eMail addresses got those email addresses from someplace withing LogMeIn’s infrastructure. If they got the eMail addresses, what else did they get (i.e. access passwords to use those addresses to remote control logmein controlled computers, credit card information for the paid logmein accounts, etc…). Meanwhile, since LogMeIn still doesn’t know how this information was exposed, the parties who gathered this information once can come back and get any revisions, again and again.

    The fact that only folks who use unique email addresses for their logmein accounts are reporting this doesn’t mean anything since for everyone else, the spam and phishing messages will merely be in the normal barrage of junk targeted at their email addresses all the time.

  2. JasonR

    @Mark Pizzolato
    I 100% agree. I’ve seen this time and time again, places won’t admit that they have had a breach when I can prove it was either them, an ISP sniffing (their ISPs, my ISPs, or an ISP inbetween) and I know my servers and desktop are still rock solid (as I run my own hardended mail servers, and equally locked down desktop with contained VMs for all Internet access). Using Occam’s Razor, it always points back to them. I have called this early on with many data breaches that have compromised my one-use-only email aliases, which only months later would the service come out publically and admit it.

  3. Troy

    Brian,
    Thank you for this! We had been pulling our hair out trying to figure out where they got our unique email addresses to phish us. I uploaded all the zip files to VT and got Trojan hits on every one. We got the phishing/spam emails in the same order as one of the LMI forum users reported, too– DocuSign, jConnect, AMEX and Xerox.

  4. Richard Steven Hack

    Corporations always follow the same pattern:

    Day One: “Uh, we’re investigating but we have no evidence of a breach.”

    Day Two: “Oh, sh*t!”

    Day Three: “We’re so sorry!”

    Day Four: “We’re fixing it!”

    Rinse and repeat…

  5. Justin McMurtry

    Thus far, LogMeIn is trying to pass off this incident as “a phishing version of a dictionary attack.” But that claim makes no sense. First of all, they’re not explaining where the spammers are getting the domain part of the targeted email addresses from. Secondly, I think most users of owned domains with unlimited custom addresses are like me in setting them up with a “catch-all” functionality, so that a message addressed to *any* username in that domain will be delivered unless that username has been specifically blocked. If spammers were really using a “dictionary” approach, we would receive a copy of their spam for every single version of the address in our domain that they attempted. But this is not what we’ve observed. Instead, we’ve received spam *only* at the specific address(es) that we created for and disclosed to LogMeIn. There is no plausible explanation for this other than that the spammers obtained the targeted addresses directly from LogMeIn data systems.

    DocuSign too is denying any data breach has occurred, but I have exactly the same evidence for a breach of DocuSign customer data as I do for LogMeIn. The only difference between the two is that LogMeIn, by its nature, has a far greater concentration of tech-savvy users than DocuSign does; therefore there are far more LogMeIn users than DocuSign users who are able to recognize what has happened and report it, either by contacting LogMeIn support directly or by finding their way to the LogMeIn discussion forum thread. This difference in reporting should in no way be misinterpreted as indicating that DocuSign has not suffered the same kind of data breach that LogMeIn has.

    Justin McMurtry
    Licensed Realtor (and former IT professional)
    Houston, Texas

  6. Mark Pizzolato

    There was absolutely no guessing of email addresses on my site. I have 2 separate LogMeIn unique email addresses which were BOTH sent phishing attempts in the exact same email. They started with a list of email addresses.

    Additionally, I have precise logs of delivery attempts (guessed email address, etc.) and no related bogus attempts were made.
    LogMeIn had a data breach and probably have no way to detect that it actually happened except for the precise outside evidence we’ve seen. That is why they’ve “found no signs of data compromise”.

    I’m recommending that my customers migrate to a different remote support solution.

  7. George G.

    “I have an email account that allows me to put anything in front of the @ (at) “.

    How does one do that ?

    1. Brian Krebs

      Perhaps he is using something in the mail specification, which basically ignores anything to the right of a “+” sign before the @domain.

      So, instead of giving people example@gmail.com, if you signed up at Joe’s Plumbing, you could give an address example+joesplumbing@gmail.com, and create a filter for any email to that address. Not all sites honor this construction, however.

  8. Uzzi

    Funny… how those “companies” get along without adopting ISO/IEC 27001. (Yeah, I know…european standards and regulations are a communistic threats to american freedom.oO)

      1. Uzzi

        Thx! – I wonder why the hell they didn’t attest that their data restrictions (see Privacy Policy, 9. Security) did work and no irregularities were detected since December 6, 2012 Malware Spam Alert Update then… Maybe they can’t? (At least their wishy-washy about malicious third parties spidering the Internet wasn’t convincing: http://www.docusign.co.uk/spam)

  9. AlphaCentauri

    The address I use isn’t unique to logmein, but it gets only specific types of spam. I didn’t get any IRS spam on Dec. 3, but I did get IRS phish on Sept. 27 and Oct. 2.

    Spammed URLs included
    hxxp://aniyuzugu.com/t9gWeXC/index.html
    hxxp://compsolutionsagency.com/2kghm0/index.html
    hxxp://dolumdukkani.com/tUvB1oCS/index.html
    hxxp://www.naturemeditations.co.uk/RihvNM/index.html
    hxxp://033465e.netsolhost.com/nu5ukUU/index.html
    hxxp://weddingplannerr.com/eZnSjHk/index.html
    hxxp://elmaliticaret.com.tr/S287E3FA/index.html
    hxxp://jhk762000.imghost.cafe24.com/MVH62tav/index.html
    hxxp://bestSchoolus.com/DCFvDX/index.html
    hxxp://www.mondoippicatv.it/FpS7rAc/index.html
    hxxp://www.african-rough-diamonds.com/X4TbcqHP/index.html
    hxxp://www.geothermie-allgaeu.com/AvbQnj/index.html

    Do the December 3 spams seem similar? I wonder if this goes back to September?

    1. jay

      I got the IRS email and “Scan from a Xerox WorkCentre” emails from virtua.com.br and other domains, both sent to my Logmein email ID.

      I just changed my email and password on the Logmein control panel.

      I own several domains and have over 200 unique addresses that forward to my main address just so I can track who might be giving out addresses despite a TOS that says they don’t.

  10. nik cubrilovic

    I have seen something similar before, and my hunch. based on all I have seen, is that there is an SQL injection somewhere in logmein or docusign on a LIKE cause that can’t be blank. So the attackers enter known phrases (dictionary of ‘sales’, ‘jack’, ‘john’, ‘logmein’ etc.) and get back all the email addresses that contain those keywords in them.

    I am 99% certain this is what this is. If I were the company I would grep their web code base for LIKE statements and then lock down the variable filtering. I would also check their existing sql logs for those names. I bet it is there.

    1. Uzzi

      > attackers enter known phrases (dictionary of ‘sales’, ‘jack’, ‘john’, ‘logmein’ etc.)
      > and get back all the email addresses that contain those keywords

      What about the phrase ‘@’? (Sry, I’m not proficient in SQL…. however, I predict it’s again an employee like in most of those leaks. But as long as “companies” don’t adopt to ISO/IEC 27001 they won’t know themselves.)

  11. George

    Weird; I’m sure I submitted a comment from my smartphone; anyhoo…

    I have received these malware mails from “DocuSign” and the “Xerox WorkCentre”; however I got them via a forwarding mailbox we’d set up at a customer (ourcompany@theirdomain.com).

    As this address is never used (by us or the client) to send mail and certainly not to register for services, an external data leak is improbable.

    Since the address is in client address books (Outlook or others, possibly webmail) it is far more likely that client devices have been compromised and that e-mail addresses have been harvested.

    It is also possible to pluck such e-mail addresses out of thin air, if a client device uses unprotected WiFi or is MitM-ed.

    Although it is also possible that the address was guessed or brute forced; this client has edge protection against harvesting through SMTP, making that less likely.

    It is easy to point fingers at the widely used services, but these malware guys are smart. If your ‘special’ e-mail address was easily identifiable as a LogMeIn address (they could match that up). Don’t think they won’t do anything to increase their success rate.

    Realistically and from my observed data I’d say your mailbox or (internal) address list was compromised. Maybe a long time ago, maybe from accessing your webmail from someone else’s device or your smartphone.

    Lists get aggregated and ‘improved’ all the time too.

    George/

  12. Mark Pizzolato

    George,

    If this had only happened to one person or one users’s LogMeIn email address, the information could have been harvested by any of the places you suggest even more creative ways the malware guys think up.

    However, since MANY folks who only have a single common link (the LogMeIn connection) all had the same issue at the same time, the data had to be collected from LogMeIn.

    Once these addresses have been collected, they certainly will be sold and used by many spam and/or malware agents. The point of this discussion is really about LogMeIn’s breach and their lack of admitting to the facts.

  13. George

    Mark,

    I would agree if LMI truly was “the only common link” and even more if that link was not that common.

    Services that are widely used and have a massive user base, will also have users that have been compromised in one way or another.

    I am a LogMeIn user, have multiple accounts there both personal and business, but I have not received the LMI version of the malware. I don’t have a DocuSign account and I have received those, but only through that external account.

    The calls for “LMI to admit a breach” are way off IMHO. Sure, companies are slow to admit breaches. I’m from The Netherlands, I don’t have to remind you of our local DigiNotar debacle.
    But at this moment it doesn’t meet the ‘burden of proof’ and demanding companies ‘own up’ is very premature.

    We’re all (?) used to facebook phising and bank scams, but the LMI, DocuSign and Xerox WorkCentre mails were new, widely used services that we trust(ed) or though of as ‘internal’.

    To me this report ‘looks wrong’ and it doesn’t match with my personal experience in this case. Not to say that Brian shouldn’t have reported on this; it is a balanced article about a concern that may still be proven to have merit.

    Immediately people also take it from harvested e-mails, to fully compromised services and then to “Attackers able to actually log in using someone’s LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.”. That is nonsense if you know how the service works, unless you use a single password for everything.

    The clinical term for that is “Mass Hysteria” I believe.

    Sometimes it is difficult to see the forest for the trees, to look beyond the obvious and it is always easier to blame someone else for stuff that happens to you. That doesn’t make it correct though.

    George/

  14. Mark Pizzolato

    George,

    I’m trying to have an open mind here. The LMI folks vague claim of this being a dictionary attack is what got me steaming.

    I do have more LogMeIn accounts than the two which received the mentioned malware messages. The fact that only these two are have gotten ALL of these messages might be related to the source of the issue. However, in my case EACH malicious message that arrived here was actually addressed to BOTH of these email addresses in the same SMTP delivery attempt and in the RFC822 message headers.

    The only way I can imagine that ONLY these two different customer sets had their LogMeIn email addresses collected was if some other malicious code infected a computer at EACH of these two distinct sites (there are a total of 5 computers). Such an infection would have then had to glean the LMI account email address from the local environment (a quick look through the registry and disk files DOES NOT show the actual LogMeIn account name easily visible).

    This combination of simultaneous events (at my customer sites AND all of the other folks who also had the same consequence) seems quite unlikely, but theoretically possible. Occam’s Razor suggests that a breach at LogMeIn is the far more likely cause.

  15. George K.

    Hi Mark,

    I think it is good to keep an open mind and don’t think LMI ‘claimed’ it was anything, but is investigating: LogMeIn spokesman Craig VerColen, said that […] the investigation remains open.

    I’m not sure what you’re trying to say with both of your compromized addresses being present in the malicious e-mails. I take it these “two different customer sets” share the same mail system (or part thereof, like edge servers). That may just be efficient delivery (limiting connections) then.

    I don’t see how the delivery (method) relates to the source of the addresses used.

    Look, I’m a sceptic as well. But I’m not just sceptical looking at ‘companies’ and overlooking ‘users’. Companies should take reports like this seriously and it seems (to me) that they do.

    Do I trust LMI to keep my e-mail addresses safe? No. But do I think (yes, not even believe) that they’re the source of this malware campaign? Also no.
    Might I be proven wrong? Well, possibly. But not likely.

    Occam’s Razor, eh? Well didn’t the EU tell banks: assume that all clients are infected? Isn’t that the hypothesis with the fewest assumptions? (ie. 1)
    I doubt a full breach of LMI of DocuSign would satisfy OR.

    And LMI systems or your local devices aren’t the only place this e-mail address exists… Isn’t (marketing) e-mail (from LMI, etc.) unencrypted traffic that can be gleaned from any number of places? Or maybe a mailing list was hoisted from a service provider?

    Keepin’ it sharp 😉

    George/

  16. Neej

    To my mind to be fair to LMI, whilst not excusing any entity from having proper disclosure procedures, I don’t think it’s reasonable to disclose that you have a security issue based *only* on user reports – that would be open to abuse from competitors or anyone else making false reports.

    And as mentioned, LMI maintain they’re investigating the issue.

  17. Richard Steven Hack

    I’m not sure anyone here is claiming that the company needs to “admit” a breach here. The company has said it’s investigating, which is fine.

    But they also said they “have no evidence of a breach” and THAT statement, while true, is merely an attempt to deflect the fact that they don’t KNOW one way or the other.

    The statement that they’re investigating a POSSIBLE breach would be sufficient. Adding the “we have no evidence” is an attempt to muddy the waters for PR purposes.

    And as I said in my earlier post, every company seems compelled – perhaps by their legal department – to do this, even though we know the subsequent progression of events will almost certainly reveal a breach.

  18. AlphaCentauri

    The issue that strikes me is, if someone has unauthorized access to LogMeIn’s database, why send spam to those email addresses and alert people to the breach? They’re potentially killing the goose that lays the golden eggs.

  19. George

    @Richard,

    I appologise for CAPS in this message, it is only used for clarity and I am not shouting, as I assume you aren’t either.

    You say such reasonable things, and then:

    > even though we know the subsequent progression of events
    > will almost certainly reveal a breach.

    …but we don’t KNOW (as you also stated) and it isn’t CERTAIN (or even that likely) IMHO.

    This isn’t a religion, beliefs don’t count in security and I see no compelling reason whatsoever to think a breach is evident.

    Maybe a subscriber mailing list was lost, somewhere, but the address I received the mails on isn’t and wasn’t registered with LMI or DocuSign or anywhere else (I just checked to make sure a colleague hadn’t done something silly). It just forwarded mail from a client to us. Totally unused otherwise.

    Not to say that the list wasn’t compiled from multiple sources, but I believe it shows that (otherwise) unused addresses got on it and not via LMI (or DS, etc.). And the ‘outrage’ was that they MUST have come from LMI (and a full breach no less). UNSUBSTANTIATED.

    A problem on one of the 100s of clients at that customer just seems the most probable for my situation and the mentioned services are DEFINITELY not.

    George/

    1. Richard Steven Hack

      It may be probable for your situation, but the other cases reported are adamant that it can’t be in their cases.

      So it’s a case of one anecdotal piece of evidence vs multiple anecdotal pieces of evidence.

      Weight of the evidence is on a breach, even if it’s all anecdotal at the moment.

      And when I say “almost certainly a breach”, I mean in reference to most of the reported breaches in the past. How many of these “we might have a breach” have turned out NOT to be a breach? I submit the majority have been breaches and therefore the probability is that there is a breach in this case especially given the weight of the anecdotal evidence.

      And irregardless of whether there is a breach in this case, LogMeIn is still acting in the manner I described, which is to try to pre-judge the case for PR purposes by claiming BEFORE the investigation that they have “no evidence” of a breach – when the anecdotal cases ARE evidence, even if anecdotal.

      1. George K.

        Well, we’re probably not going to see eye to eye on this, but my “anecdotal” experience is not that to me; they are facts of my environment (the e-mail IS not registered with any of these services).

        Users claiming there ‘is no other way’ ARE wrong, there are other ways their “unique” e-mail address could have been obtained other than a full breach. And they’ve not acknowledged these or provided arguments against them other than ‘it wasn’t me’. In IT support we know that usually is the wrong assumption.

        I would not have agitated so if the claims were “Hey LMI (et al),you appear to have lost/leaked my e-mail address!”. I think that IS a real possibility.

        But in stead we have “full-breach-hysteria” and I would like to have numbers on: “How many of these “we might have a breach” have turned out NOT to be a breach?”. I can’t answer that.

        None of the malware e-mails used corroborating data that coul only have come from LMI, like profile information of device names. Using these would have had a positive effect on their “campaign results”.

        There is no indication that accounts have been abused. Also not likely in case of ex-filtrated user data as security to connect to devices is not stored with LMI but is local (to your network or device). I don’t see reports of lockouts (due to password brute forcing) or the e-mail alerts thereof.

        No one has claimed what would be a prestigious hack. Even a week later no ‘proof’ has been pastebinned or whatever.

        Companies have to weigh what the say carefully, yes mostly out of financial concern, but also looking at what is actually being reported. And that seems not to warrant up-front (near) admission of a possible breach, when there are just some e-mail addresses floating around.

        George/

  20. RR

    Those are all Blackhole/Zeus emails you are describing right? It’s not a stretch to imagine the method the hackers used against you were the same ones they used against those two companies.

    I’ve been monitoring a Zeus infected machine since Oct, last night it downloaded Pushdo/Cutwail and tried to start sending mail.

    Somewhere an employee said “oh another virus deleted” and clicked close on his AV window. Because that’s all “anti-virus software” makes people think of – “oh, a virus”. When they should be thinking “it ran for a week, doing who knows what”. One single EXE running on a machine, cleaned up by AV. That’s not what people (especially execs) imagine for a hack. It’s likely even the hackers don’t know what they got into – they just raid all of their victims in parallel for email addresses, then distribute the spam load over them all. Just like last week.

  21. MR

    FWIW, I’ve had zero spam emails to my specific LMI email address. The email address is on a domain I own and is composed of random letters & numbers to eliminate guessing.

Comments are closed.