Off-the-shelf Phishing Projects Target Evernote and LastPass Users with Cryptocurrency Accounts

Summary

A post on a cybercrime forum is advertising ready-made phishing projects targeting LastPass and Evernote users for USD 2,500 on monthly rental subscription
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global
Source* C2
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
Executive Summary
  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising ready-made phishing projects targeting LastPass and Evernote users.
  • While LastPass is a freemium password manager app, Evernote is an app designed for note-taking, organizing, task management, and archiving.
  • The actor claims that these phishing projects are designed to target cryptocurrency holders. Each service is offered for USD 2,500 on monthly rental subscription.
  • Phishing operations can be used to target users and steal sensitive information like passwords, documents, and cryptocurrency wallets.
 
Threat actor’s post on a Russian cybercrime forum
Threat actor’s post on a Russian cybercrime forum
 

Analysis and Attribution

Information from the Post

  • A threat actor published a post on a cybercrime forum advertising ready-made phishing projects, that include phishing pages with fields for login and password, designed for 2FA (2 Factor Authentication) bypassing. With the help of these phishing projects, threat actors can send phishing emails to cryptocurrency holders.
  • The actor claims that this tool is specifically meant to target cryptocurrency holders who use LastPass and Evernote services and that it searches an email database to check if the targeted email uses these services. The actor may have obtained the email database from a security breach that occurred in the past.
  • The tool targets LastPass and Evernote since users generally store their credentials and other sensitive information in these 2 applications.
  • The phishing project accesses a user’s LastPass or Evernote app to gather their passwords and notes, including mnemonic phrases of their cryptocurrency wallets, cryptocurrency exchange passwords, documents, and 2FA codes.
 

Source Rating

  • The actor joined the forum in Oct 2020 and has a moderate reputation.
  • The actor has posted only one thread, which is the above mentioned phishing project advertisement.
  • The actor also has a 0.001100 BTC deposit on the forum, which indicates their confidence in this project.
Hence,
  • The reliability of the actor can be rated Fairly reliable (C).
  • The credibility of the advertisement can be rated Probably true (2).
  • Giving overall source credibility of C2.
 

Impact & Mitigation

Impact Mitigation
  • These phishing projects can be utilized by other threat actors to target specific users and steal their:
    • Passwords
    • Documents
    • Crypto wallets
    • Other sensitive information
  • Avoid downloading suspicious documents from unknown sources.
  • Avoid clicking on suspicious links.
  • Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
  • Update all systems and applications with the latest patches and updates.
  • Ensure the usage of MFA.
  • Use up-to-date antivirus and anomaly detection tools.
  • Use updated EDR solutions for network monitoring.
 

Appendix

English translation of the threat actor’s post on the cybercrime forum Evernote
English translation of the threat actor’s post on the cybercrime forum

Table of Contents

Request an easy and customized demo for free