- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising ready-made phishing projects targeting LastPass and Evernote users.
- While LastPass is a freemium password manager app, Evernote is an app designed for note-taking, organizing, task management, and archiving.
- The actor claims that these phishing projects are designed to target cryptocurrency holders. Each service is offered for USD 2,500 on monthly rental subscription.
- Phishing operations can be used to target users and steal sensitive information like passwords, documents, and cryptocurrency wallets.
[caption id="attachment_18170" align="aligncenter" width="512"]
Threat actor’s post on a Russian cybercrime forum[/caption]
Analysis and Attribution
Information from the Post
- A threat actor published a post on a cybercrime forum advertising ready-made phishing projects, that include phishing pages with fields for login and password, designed for 2FA (2 Factor Authentication) bypassing. With the help of these phishing projects, threat actors can send phishing emails to cryptocurrency holders.
- The actor claims that this tool is specifically meant to target cryptocurrency holders who use LastPass and Evernote services and that it searches an email database to check if the targeted email uses these services. The actor may have obtained the email database from a security breach that occurred in the past.
- The tool targets LastPass and Evernote since users generally store their credentials and other sensitive information in these 2 applications.
- The phishing project accesses a user’s LastPass or Evernote app to gather their passwords and notes, including mnemonic phrases of their cryptocurrency wallets, cryptocurrency exchange passwords, documents, and 2FA codes.
- The actor joined the forum in Oct 2020 and has a moderate reputation.
- The actor has posted only one thread, which is the above mentioned phishing project advertisement.
- The actor also has a 0.001100 BTC deposit on the forum, which indicates their confidence in this project.
- The reliability of the actor can be rated Fairly reliable (C).
- The credibility of the advertisement can be rated Probably true (2).
- Giving overall source credibility of C2.
Impact & Mitigation
- These phishing projects can be utilized by other threat actors to target specific users and steal their:
- Crypto wallets
- Other sensitive information
- Avoid downloading suspicious documents from unknown sources.
- Avoid clicking on suspicious links.
- Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
- Update all systems and applications with the latest patches and updates.
- Ensure the usage of MFA.
- Use up-to-date antivirus and anomaly detection tools.
- Use updated EDR solutions for network monitoring.
[caption id="attachment_18171" align="aligncenter" width="512"]
English translation of the threat actor’s post on the cybercrime forum[/caption]