LastPass has boosted security for its users after a security researcher alerted the company of a phishing attack he devised to steal users’ login and two-factor authentication credentials.
Sean Cassidy, CTO of Praesidio, demonstrated the phishing attack, which he calls “LostPass,” last week at ShmooCon.
LostPass works like this: Users are lured to a malicious website, at which time a bogus LastPass notification is displayed. It deceives users into believing they’ve logged off the service and requests they login again.
When users enter their master password and two-factor authentication data, if they have 2FA turned on, the fraudster captures the data and can control the account.
“We think this is a very serious problem for two main reasons,” said Praesidio CEO Edgardo Nazario.
“First, LastPass is a very popular password manager,” he told TechNewsWorld. “Second, the phishing attack we uncovered is fairly simple to implement and execute.”
Once an account has been compromised, Nazario said, an attacker can download all of a user’s information.
Moreover, the intruder can create a backdoor into the account through LastPass’s emergency contact feature, as well as disable two-factor authentication and add to the account a trusted device that belongs to the attacker, he noted.
After consulting with Cassidy, LastPass made a number of changes to foil anyone trying to duplicate his work in the wild, among them changing its verification requirements when an account is being accessed from a new location or device.
Now email verification is the default for all users, including those with two-factor authentication activated. So if fraudsters do steal a user’s credentials, they would still need to access the user’s email account to complete the login process.
“By requiring verification for unknown locations or devices, we’ve ensured users are protected from this attack,” LastPass Marketing Manager Amber Gott Steel told TechNewsWorld.
Broadly speaking, the LastPass phishing scheme is a familiar one.
“This is essentially like any phishing attack on a bank or other Web service,” said Andrew Sudbury, co-founder and CTO ofAbine. “You show people a fake login screen and get them to log in.”
However, what makes this a little more difficult for users is that the login screen appears on top of a Web page and doesn’t display a URL, “so it’s not as easy to tell if there’s something fishy about it,” he told TechNewsWorld.
“Anything that tries to do authentication on top of a Web page is more vulnerable because it’s harder to tell if it’s coming from the right site,” Sudbury added.
Although Cassidy chose LastPass to demonstrate his phishing attack, it could be modified easily to compromise users of other sites.
“In theory, every Web-based application can be the target of a similar attack, including other password managers,” said Giovanni Vigna, co-founder and CTO ofLastline.
“As Web applications become more secure, cybercriminals switch their focus from hacking the application to hacking the user,” he told TechNewsWorld.
Users who might fall victim to a LastPass attack are “sophisticated enough to use a password manager, but also not paranoid enough to catch the fake websites you must visit to fall into the LostPass trap,” noted Jonathan Sander, vice president of product strategy forLieberman Software.
Users should pay attention to where requests for sensitive information are coming from, Lastline’s Vigna cautioned.
“Every time a browser requests security-critical information, the user should clearly determine the provenance of such a request. If provenance cannot clearly be determined, then the information should not be provided,” he said.
“Of course, this is difficult to achieve, as we are always rushing through pages, prompts and pop-up boxes,” Vigna added.
The LastPass attack is an example of the expanding security risk Web browsers pose to consumers, Lieberman’s Sander told TechNewsWorld.
“The same flexibility that’s making the Internet grow is also creating risk,” he said.
“People love that they can do more and more in their browsers,” Sander observed, “but browser-based everything means attackers can use the browser people are so accustomed to as a way to fool them.”