• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising ready-made phishing projects targeting LastPass and Evernote users.
• While LastPass is a freemium password manager app, Evernote is an app designed for note-taking, organizing, task management, and archiving.
• The actor claims that these phishing projects are designed to target cryptocurrency holders. Each service is offered for USD 2,500 on monthly rental subscription.
• Phishing operations can be used to target users and steal sensitive information like passwords, documents, and cryptocurrency wallets.

Analysis and Attribution

Information from the Post

• A threat actor published a post on a cybercrime forum advertising ready-made phishing projects, that include phishing pages with fields for login and password, designed for 2FA (2 Factor Authentication) bypassing. With the help of these phishing projects, threat actors can send phishing emails to cryptocurrency holders.
• The actor claims that this tool is specifically meant to target cryptocurrency holders who use LastPass and Evernote services and that it searches an email database to check if the targeted email uses these services. The actor may have obtained the email database from a security breach that occurred in the past.
• The tool targets LastPass and Evernote since users generally store their credentials and other sensitive information in these 2 applications.
• The phishing project accesses a user’s LastPass or Evernote app to gather their passwords and notes, including mnemonic phrases of their cryptocurrency wallets, cryptocurrency exchange passwords, documents, and 2FA codes.

Source Rating

• The actor joined the forum in Oct 2020 and has a moderate reputation.
• The actor has posted only one thread, which is the above mentioned phishing project advertisement.
• The actor also has a 0.001100 BTC deposit on the forum, which indicates their confidence in this project.

• The reliability of the actor can be rated Fairly reliable (C).
• The credibility of the advertisement can be rated Probably true (2).
• Giving overall source credibility of C2.

Impact & Mitigation

Appendix