YOU HEARD IT HERE FIRST: LogMeIn.com data breach!
I am now almost certain that LogMeIn.com has suffered a data breach. How do I know? You can read about it here…
A spam more than 13½ years in the making
The actual trigger phishing email is pasted below. If you have ever had an account with LogMeIn.com, you should expect to get this email soon (if you have not gotten it already). Any other information that you’ve ever given to LogMeIn.com is also now potentially compromised.
This is particularly distressing because the LogMeIn.com service allows people to remotely control your computer. Yikes. If you have LogMeIn installed, then the prudent thing to do is to remove it until we get more details to the extent of the problem.
Could there be any connection to the (very recent, very sudden) announcement that LogMeIn.com was immediately stopping their popular free service offerings? We’ll see…
In other disturbing news- it looks like eFax.com does not have an SPF record which could have mitigated this phishing attack. Come on guys, there is no excuse for this and it makes you look really bad.
Subject: eFax message from 16023994730 - 1 page(s), Caller-ID: 602-399-4730 From: eFax.com <messages@inbound.efax.com> Fax Message [Caller-ID: 602-399-4730] You have received a 1 page fax at 2014-01-27 05:45:50 CDT. * The reference number for this fax is min1_did13-1329191075-6023994730-49. View this fax online, on our website : http://www.efax.com/fax/fax_view.aspx?fax_id=XXXXXXXXXXX Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service. Thank you for using the eFax service!
I can confirm this, as I have gotten this email today, too. I got here by searching for ’02-399-4730′ in Google.
I assume you signed up with LogMeIn.com at some point?
Yeah, I created my account with them on Oct. 27, 2010. I didn’t use it for very long though, as I switched to teamviewer after a while.
My last login with them was on Jan. 24th, 2011.
Here’s some more information on the mail headers I’ve received:
http://pastebin.com/raw.php?i=wu3xSb3Y
It seems that 91.205.75.46 has a running webserver, with some kind of admin panel. It’s probably some newsletter system.
Turns out that the headers are irrelevant. I have now seen this spam addressed to multiple LogMeIn email addresses from multiple compromised servers from around the globe.
I was curious, i got the email. I opened up the zip program to see what it was about to unzip, and looked like it wanted to run a msdos shortcut. So jetted that puppy when I saw that. Gmail was very good about warning me that efax does not usually zip anything up. lol!
I can confirm this, as I’ve gotten this email from the same number (602-399-4730) today, too. I found your site by searching on Google.
Thanks for notifying!
I got this today too, and have been a member of LogMeIn since October of ’09.
Wow, 400+ visits to this post in the last hour just from people google searching on the phone number the alleged fax is from!
Received this email as well. I used to be a client of Logmein….thanks for the info, almost opened it!
Same here. Googled phone number and here I am. I have 2 LogMeIn Central accounts and seems I only got the email on one of them.
Don’t worry – the other email is on the way! The attack looks like it started on about 1/23/2014 and (based on my small sample) is about halfway though all the addresses. LMK when you get the other!
I just received it today, I also have Logmein account but I also have a efax.com account so this message looked legit. I didn’t click on link becuause the hyperlink showed a completely foreign address and also when a fax comes thru efax.com it has the attachment in the email, not just a link to the attachment. Does anyone know what the .zip file is (virus, remote control, maleware) when you click on that extension???
The linked ZIP file contains a file called efax_6023994730 which appears to be a standard virus built with the Zeus toolkit. Nothing new or fancy, but still very obnoxious and dangerous. You do not want to run this.
Yup, I got one too, to an LMI-specific email address. When I went to comment the thing out of my aliases file, I spotted a note I’d left by the previous address I’d given them — this has happened before in December 2012. Fool me twice, shame on me.
I just received this email today and I used my phone to open the website. I use Log Me In regularly.
Delivered-To: xxxxx
Received: by 10.60.149.227 with SMTP id ud3csp112627oeb;
Mon, 27 Jan 2014 04:38:41 -0800 (PST)
X-Received: by 10.14.179.73 with SMTP id g49mr20431587eem.71.1390826320909;
Mon, 27 Jan 2014 04:38:40 -0800 (PST)
Return-Path:
Received: from slevy.itechtrade.cz (slevy1.itechtrade.cz. [46.234.99.9])
by mx.google.com with ESMTP id w2si12952164eeg.49.2014.01.27.04.38.40
for ;
Mon, 27 Jan 2014 04:38:40 -0800 (PST)
Received-SPF: pass (google.com: domain of webmaster@preplavby.cz designates 46.234.99.9 as permitted sender) client-ip=46.234.99.9;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of webmaster@preplavby.cz designates 46.234.99.9 as permitted sender) smtp.mail=webmaster@preplavby.cz;
dkim=neutral (bad format) header.i=@inbound.efax.com
Received: from localhost (localhost [127.0.0.1])
by slevy.itechtrade.cz (Postfix) with ESMTP id 2FA852D3D8E
for ; Mon, 27 Jan 2014 13:38:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=inbound.efax.com;
s=mail; t=1390826320;
bh=bwEqyuHfSIuQj0DCpplhiLeN2m/0eUtyuiT1U5JRmSg=;
h=To:Subject:From:Reply-To:MIME-Version:Content-Type:
Content-Transfer-Encoding:Message-Id:Date;
b=TBPdHbLb2S9gNLoYENiZGOcHnNS7ZHRsy0Mu+/1B/c/sjYhOw4X9pkPn9coNyckig
zymPzgT26oRDYcDkwO+IBG/UM/oXvNI3qUEFoemaYcNx7yjzXBwgMbYKar5FJsm7YC
04Cai3zdtGC7BE/dRvYNANaCanVeMz0LQUvHuaMw=
X-Virus-Scanned: Debian amavisd-new at slevy1.itechtrade.cz
X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
hex): From: eFax.com \r
Received: from slevy.itechtrade.cz ([127.0.0.1])
by localhost (slevy.itechtrade.cz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 23kHOu2-hTq6 for ;
Mon, 27 Jan 2014 13:38:40 +0100 (CET)
Received: by slevy.itechtrade.cz (Postfix, from userid 5159)
id 86BAF2D304E; Mon, 27 Jan 2014 13:37:31 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=inbound.efax.com;
s=mail; t=1390826285;
bh=YpfVBeGGcZykH47m+c7KT3OGGIgk/NXr2wReTzdlBu0=;
h=To:Subject:From:Reply-To:MIME-Version:Content-Type:
Content-Transfer-Encoding:Message-Id:Date;
b=m0Wnq4qBYx0VPtVLXbiSQh5seJn95QthUSSBnsLNW2XYfLv3HlkCSkSUvwuiMkU5y
NM/PdHIbnEuDAlWv+RmaoljkEv1nim1uVa0wjuCpar6JhKt8OhjRhTLXLZk2tm4v2E
O428oWMyXWLiRIunwxTFC7U7xo+QnZNXHZ8oVqSA=
To: xxxxx
Subject: eFax message from 16023994730 – 1 page(s), Caller-ID: 602-399-4730
X-PHP-Originating-Script: 5159:sendme.php(3) : eval()’d code
From: eFax.com
Reply-To: messages@inbound.efax.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Mon, 27 Jan 2014 13:37:31 +0100 (CET)
Fax Message [Caller-ID: 602-399-4730]
You have received a 1 page fax at 2014-01-27 05:45:20 CDT.
* The reference number for this fax is min1_did13-1329191075-6023994730-49.
View this fax online, on our website : http://www.efax.com/fax/fax_view.aspx?fax_id=6023994730
Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
I am also a past user of LogMeIn.com and received that exact email yesterday. It says it was sent Monday, 1/27/2014, 10:55 AM, but I did not get the email until Thursday, 1/30/2014 around 1 PM. I googled 602-399-4730 and I found my way here. I am insuring that LogMeIn is no longer installed on this computer, as I no longer use that service. Thank you everyone who posted.
This isn’t anything new: http://community.logmeinrescue.com/t5/Miscellaneous-Offtopic/LogMeIn-leaked-my-email-address/m-p/88548
Thanks for the link!
Yep, I got my first LogMeIn-caused spam on 12/17/2012, but it was only to a single address that I gave them in 2004. I gave logmein the benefit of the doubt of this one. Potentially the address could have been leaked via their “Click2Share” service since that was the only address I had ever used with that service. I also considered the possibility that the address was leaked when they did a survey using SurveyMonkey on 12/1/2005. Either of these cases would only be a leak (and still show bad judgement), but not as harmful as a data breach.
This new wave hit *all* of my Logmein disclosed addresses including ones that I registered within the last year and ones that had never used for anything except logging into the website, so could potentially be a breach at a deeper level.
I’d be curious if anyone who got spammed in the 2012 wave had either used the CLick2Share service, or had registered prior to the SurveyMonkey event in 2005.
i was searching “logmein selling email addresses” since that’s what i assumed was at foot here. I’ve received 7 emails to an account that has only been used for LMI since my LMI account existed, all starting with BREAKING NEWS: and some random (make money, enhance, ect) ending. I’m wondering if thei is the final FU to all the free users. Although it could be that their DB was compromised as well i suppose. either way, bad on LMI and good on my signup scheme to use a specific address for each signup so I can tell who is getting compromised.
I wholeheartedly believe this shady company is capable of selling the addresses or even giving them away to spite all of us who have called them out on their scamming billing practices. FU LMI ! I hope your next public offering is a “will work for food” sign.
He11 yeah, what ^scroo lmi said^ !!