Off-the-shelf Phishing Projects Target Evernote and LastPass Users with Cryptocurrency Accounts

A post on a cybercrime forum is advertising ready-made phishing projects targeting LastPass and Evernote users for USD 2,500 on monthly rental subscription
Updated on
April 19, 2023
Published on
November 11, 2021
Subscribe to the latest industry news, threats and resources.
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global
Source* C2
Reference * #
Executive Summary
  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising ready-made phishing projects targeting LastPass and Evernote users.
  • While LastPass is a freemium password manager app, Evernote is an app designed for note-taking, organizing, task management, and archiving.
  • The actor claims that these phishing projects are designed to target cryptocurrency holders. Each service is offered for USD 2,500 on monthly rental subscription.
  • Phishing operations can be used to target users and steal sensitive information like passwords, documents, and cryptocurrency wallets.
  [caption id="attachment_18170" align="aligncenter" width="512"]Threat actor’s post on a Russian cybercrime forum Threat actor’s post on a Russian cybercrime forum[/caption]  

Analysis and Attribution

Information from the Post

  • A threat actor published a post on a cybercrime forum advertising ready-made phishing projects, that include phishing pages with fields for login and password, designed for 2FA (2 Factor Authentication) bypassing. With the help of these phishing projects, threat actors can send phishing emails to cryptocurrency holders.
  • The actor claims that this tool is specifically meant to target cryptocurrency holders who use LastPass and Evernote services and that it searches an email database to check if the targeted email uses these services. The actor may have obtained the email database from a security breach that occurred in the past.
  • The tool targets LastPass and Evernote since users generally store their credentials and other sensitive information in these 2 applications.
  • The phishing project accesses a user’s LastPass or Evernote app to gather their passwords and notes, including mnemonic phrases of their cryptocurrency wallets, cryptocurrency exchange passwords, documents, and 2FA codes.

Source Rating

  • The actor joined the forum in Oct 2020 and has a moderate reputation.
  • The actor has posted only one thread, which is the above mentioned phishing project advertisement.
  • The actor also has a 0.001100 BTC deposit on the forum, which indicates their confidence in this project.
  • The reliability of the actor can be rated Fairly reliable (C).
  • The credibility of the advertisement can be rated Probably true (2).
  • Giving overall source credibility of C2.

Impact & Mitigation

Impact Mitigation
  • These phishing projects can be utilized by other threat actors to target specific users and steal their:
    • Passwords
    • Documents
    • Crypto wallets
    • Other sensitive information
  • Avoid downloading suspicious documents from unknown sources.
  • Avoid clicking on suspicious links.
  • Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
  • Update all systems and applications with the latest patches and updates.
  • Ensure the usage of MFA.
  • Use up-to-date antivirus and anomaly detection tools.
  • Use updated EDR solutions for network monitoring.


[caption id="attachment_18171" align="aligncenter" width="512"]English translation of the threat actor’s post on the cybercrime forum Evernote English translation of the threat actor’s post on the cybercrime forum[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations