Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.
Some LogMeIn users began complaining of receiving malware spam to LogMeIn-specific email addresses on Dec. 3, 2012. The messages matched spam campaigns that spoofed the U.S. Internal Revenue Service (IRS) and other organizations in a bid to trick recipients into opening a malicious attachment. Multiple LogMeIn users reported receiving similar spam to addresses they had created specifically for their LogMeIn accounts and that had not been used for other purposes. The first LogMeIn user to report the suspicious activity said he received a malicious email made to look like it came from DocuSign but was sent to an address that was created exclusively for use with LogMeIn (hat tip to @PogoWasRight).
“I have an email account that allows me to put anything in front of the @ (at), which helps keep track of what/who I sign up to,” wrote LogMeIn user “Droolio” in a thread on the company’s support forum. “This way, not only do I know who leaks my email addresses (as did happen with Dropbox a few months back), spammers can be blocked after they get ahold of it. My PC is malware-free and I hardly use LogMeIn (although it is installed albeit disabled) and the last time it was used was months ago.” [link added].
LogMeIn user Justin McMurtry, a realtor in Houston, Texas, said he received a Trojan-spam message to his LogMeIn-specific email address at the same time he received the same message at an address he used exclusively for DocuSign.
“It is especially worrisome to consider the possibility that LogMeIn and/or Docusign account passwords could have been leaked as well,” McMurtry wrote on LogMeIn’s support forum. “Attackers able to actually log in using someone’s LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.”
LogMeIn spokesman Craig VerColen, said that while the investigation remains open, the company has so far found no signs of any compromises to its users’ information.
“It is worth noting, as part of the investigation, we did find some commonality with the naming conventions of the emails associated with the reports,” VerColen wrote in an email to KrebsOnSecurity. “Many (nearly 30%) of the reports – and this includes all reports, not just the handful of people reporting the unique email claim – included variations of LogMeIn in the name, e.g. email@example.com, LMI@acme.com, firstname.lastname@example.org. The majority of the others used either common prefixes, e.g. email@example.com, firstname.lastname@example.org, email@example.com, or common first names, e.g. firstname.lastname@example.org. While this is not the case with all of the email addresses, the commonality would seem to suggest a pattern.”
For its part, DocuSign released a statement saying that it is investigating the incident and is working with law enforcement agencies to take further action. But it chalked the incident up to aggressive phishing attacks, noting that “antivirus vendors report malicious code incidents have been increasing by as much as 3600% in recent weeks.”
“The investigation is still underway, but we have not seen any kind of indication of a data breach,” said Dustin Grosse, DocuSign’s chief marketing officer.
In July, users of file syncing and sharing service DropBox.com began complaining of receiving spam emails to addresses they’d registered for exclusive use with the service. DropBox initially said its investigation turned up no internal breach, but two weeks later the company disclosed that an employee misstep caused the inadvertent leak.