YOU HEARD IT HERE FIRST: LogMeIn.com data breach!

I am now almost certain that LogMeIn.com has suffered a data breach. How do I know? You can read about it here…

A spam more than 13½ years in the making

The actual trigger phishing email is pasted below. If you have ever had an account with LogMeIn.com, you should expect to get this email soon (if you have not gotten it already). Any other information that you’ve ever given to LogMeIn.com is also now potentially compromised.

This is particularly distressing because the LogMeIn.com service allows people to remotely control your computer. Yikes. If you have LogMeIn installed, then the prudent thing to do is to remove it until we get more details to the extent of the problem.

Could there be any connection to the (very recent, very sudden) announcement that LogMeIn.com was immediately stopping their popular free service offerings? We’ll see…

In other disturbing news- it looks like eFax.com does not have an SPF record which could have mitigated this phishing attack. Come on guys, there is no excuse for this and it makes you look really bad.

Subject: eFax message from 16023994730 - 1 page(s), Caller-ID: 602-399-4730
From: eFax.com <messages@inbound.efax.com>

Fax Message [Caller-ID: 602-399-4730]

You have received a 1 page fax at 2014-01-27 05:45:50 CDT.

* The reference number for this fax is min1_did13-1329191075-6023994730-49.

View this fax online, on our website : http://www.efax.com/fax/fax_view.aspx?fax_id=XXXXXXXXXXX
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

23 comments

  1. Claudio

    I can confirm this, as I have gotten this email today, too. I got here by searching for ’02-399-4730′ in Google.

      • claudiodekker

        Yeah, I created my account with them on Oct. 27, 2010. I didn’t use it for very long though, as I switched to teamviewer after a while.

        My last login with them was on Jan. 24th, 2011.

      • bigjosh2

        Turns out that the headers are irrelevant. I have now seen this spam addressed to multiple LogMeIn email addresses from multiple compromised servers from around the globe.

    • Rudy Hinojosa

      I was curious, i got the email. I opened up the zip program to see what it was about to unzip, and looked like it wanted to run a msdos shortcut. So jetted that puppy when I saw that. Gmail was very good about warning me that efax does not usually zip anything up. lol!

  2. claudiodekker

    I can confirm this, as I’ve gotten this email from the same number (602-399-4730) today, too. I found your site by searching on Google.

    Thanks for notifying!

  3. bostonIT

    Same here. Googled phone number and here I am. I have 2 LogMeIn Central accounts and seems I only got the email on one of them.

    • bigjosh2

      Don’t worry – the other email is on the way! The attack looks like it started on about 1/23/2014 and (based on my small sample) is about halfway though all the addresses. LMK when you get the other!

  4. GT

    I just received it today, I also have Logmein account but I also have a efax.com account so this message looked legit. I didn’t click on link becuause the hyperlink showed a completely foreign address and also when a fax comes thru efax.com it has the attachment in the email, not just a link to the attachment. Does anyone know what the .zip file is (virus, remote control, maleware) when you click on that extension???

    • bigjosh2

      The linked ZIP file contains a file called efax_6023994730 which appears to be a standard virus built with the Zeus toolkit. Nothing new or fancy, but still very obnoxious and dangerous. You do not want to run this.

  5. Saladfork

    Yup, I got one too, to an LMI-specific email address. When I went to comment the thing out of my aliases file, I spotted a note I’d left by the previous address I’d given them — this has happened before in December 2012. Fool me twice, shame on me.

  6. Lex

    Delivered-To: xxxxx
    Received: by 10.60.149.227 with SMTP id ud3csp112627oeb;
    Mon, 27 Jan 2014 04:38:41 -0800 (PST)
    X-Received: by 10.14.179.73 with SMTP id g49mr20431587eem.71.1390826320909;
    Mon, 27 Jan 2014 04:38:40 -0800 (PST)
    Return-Path:
    Received: from slevy.itechtrade.cz (slevy1.itechtrade.cz. [46.234.99.9])
    by mx.google.com with ESMTP id w2si12952164eeg.49.2014.01.27.04.38.40
    for ;
    Mon, 27 Jan 2014 04:38:40 -0800 (PST)
    Received-SPF: pass (google.com: domain of webmaster@preplavby.cz designates 46.234.99.9 as permitted sender) client-ip=46.234.99.9;
    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of webmaster@preplavby.cz designates 46.234.99.9 as permitted sender) smtp.mail=webmaster@preplavby.cz;
    dkim=neutral (bad format) header.i=@inbound.efax.com
    Received: from localhost (localhost [127.0.0.1])
    by slevy.itechtrade.cz (Postfix) with ESMTP id 2FA852D3D8E
    for ; Mon, 27 Jan 2014 13:38:40 +0100 (CET)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=inbound.efax.com;
    s=mail; t=1390826320;
    bh=bwEqyuHfSIuQj0DCpplhiLeN2m/0eUtyuiT1U5JRmSg=;
    h=To:Subject:From:Reply-To:MIME-Version:Content-Type:
    Content-Transfer-Encoding:Message-Id:Date;
    b=TBPdHbLb2S9gNLoYENiZGOcHnNS7ZHRsy0Mu+/1B/c/sjYhOw4X9pkPn9coNyckig
    zymPzgT26oRDYcDkwO+IBG/UM/oXvNI3qUEFoemaYcNx7yjzXBwgMbYKar5FJsm7YC
    04Cai3zdtGC7BE/dRvYNANaCanVeMz0LQUvHuaMw=
    X-Virus-Scanned: Debian amavisd-new at slevy1.itechtrade.cz
    X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
    hex): From: eFax.com \r
    Received: from slevy.itechtrade.cz ([127.0.0.1])
    by localhost (slevy.itechtrade.cz [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 23kHOu2-hTq6 for ;
    Mon, 27 Jan 2014 13:38:40 +0100 (CET)
    Received: by slevy.itechtrade.cz (Postfix, from userid 5159)
    id 86BAF2D304E; Mon, 27 Jan 2014 13:37:31 +0100 (CET)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=inbound.efax.com;
    s=mail; t=1390826285;
    bh=YpfVBeGGcZykH47m+c7KT3OGGIgk/NXr2wReTzdlBu0=;
    h=To:Subject:From:Reply-To:MIME-Version:Content-Type:
    Content-Transfer-Encoding:Message-Id:Date;
    b=m0Wnq4qBYx0VPtVLXbiSQh5seJn95QthUSSBnsLNW2XYfLv3HlkCSkSUvwuiMkU5y
    NM/PdHIbnEuDAlWv+RmaoljkEv1nim1uVa0wjuCpar6JhKt8OhjRhTLXLZk2tm4v2E
    O428oWMyXWLiRIunwxTFC7U7xo+QnZNXHZ8oVqSA=
    To: xxxxx
    Subject: eFax message from 16023994730 – 1 page(s), Caller-ID: 602-399-4730
    X-PHP-Originating-Script: 5159:sendme.php(3) : eval()’d code
    From: eFax.com
    Reply-To: messages@inbound.efax.com
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id:
    Date: Mon, 27 Jan 2014 13:37:31 +0100 (CET)

    Fax Message [Caller-ID: 602-399-4730]

    You have received a 1 page fax at 2014-01-27 05:45:20 CDT.

    * The reference number for this fax is min1_did13-1329191075-6023994730-49.

    View this fax online, on our website : http://www.efax.com/fax/fax_view.aspx?fax_id=6023994730
    Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

    Thank you for using the eFax service!

  7. Steven Showalter

    I am also a past user of LogMeIn.com and received that exact email yesterday. It says it was sent Monday, 1/27/2014, 10:55 AM, but I did not get the email until Thursday, 1/30/2014 around 1 PM. I googled 602-399-4730 and I found my way here. I am insuring that LogMeIn is no longer installed on this computer, as I no longer use that service. Thank you everyone who posted.

    • bigjosh2

      Thanks for the link!

      Yep, I got my first LogMeIn-caused spam on 12/17/2012, but it was only to a single address that I gave them in 2004. I gave logmein the benefit of the doubt of this one. Potentially the address could have been leaked via their “Click2Share” service since that was the only address I had ever used with that service. I also considered the possibility that the address was leaked when they did a survey using SurveyMonkey on 12/1/2005. Either of these cases would only be a leak (and still show bad judgement), but not as harmful as a data breach.

      This new wave hit *all* of my Logmein disclosed addresses including ones that I registered within the last year and ones that had never used for anything except logging into the website, so could potentially be a breach at a deeper level.

      I’d be curious if anyone who got spammed in the 2012 wave had either used the CLick2Share service, or had registered prior to the SurveyMonkey event in 2005.

  8. chris

    i was searching “logmein selling email addresses” since that’s what i assumed was at foot here. I’ve received 7 emails to an account that has only been used for LMI since my LMI account existed, all starting with BREAKING NEWS: and some random (make money, enhance, ect) ending. I’m wondering if thei is the final FU to all the free users. Although it could be that their DB was compromised as well i suppose. either way, bad on LMI and good on my signup scheme to use a specific address for each signup so I can tell who is getting compromised.

  9. scroo lmi

    I wholeheartedly believe this shady company is capable of selling the addresses or even giving them away to spite all of us who have called them out on their scamming billing practices. FU LMI ! I hope your next public offering is a “will work for food” sign.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s