Phishers Target Users Affected by the Passwordstate Hack

Last week, cybersecurity experts reported that the Australian company Click Studios notified its customers of the hack, and now phishers target users of the company’s Passwordstate password manager.

Passwordstate is a local password management solution that, according to official developer statistics, is used by over 370,000 information security and IT professionals in 29,000 companies around the world.

The letter received by all Passwordstate client companies stated that the incident occurred between April 20 and 22, 2021. The company suffered from a supply chain attack: attackers distributed a malicious update to Passwordstate users and eventually infected their machines with Moserware malware.

Unfortunately, this malware managed to transfer the following user data to the criminals’ server: computer name, username, domain name, current process name, current process ID, name and ID of all running processes, names of all running services, display name and status, Passwordstate’s proxy server address, username and password.

That is, the Passwordstate password store was compromised, and the developers wrote that usually the password table contains a header, username, description, GenericField1, GenericField2, GenericField3, notes, URL and the password itself.

After reporting the incident, Click Studios has been providing assistance to victims by mail, helping customers with patches designed to remove malware from their systems. Since these letters from Click Studios could be found on social networks, cybercriminals did not hesitate to take advantage of them.

The hackers created phishing copies of Click Studios’ messages and started sending them to some affected clients, thus promoting the Moserpass malware.

“Apparently, attackers are actively monitoring social networks in search of any information about hacking and exploitation. It is important that customers do not post information on social networks that could be used by hackers. This is exactly what happened before the advent of phishing emails that copy the contents of Click Studios emails. If you are not sure that the letter came from us, send it to the technical support service as an attachment”, – the company representatives warn in a new message.

According to Click Studios, the phishing attack relies on clients downloading a modified patch file from a CDN not controlled by Click Studios (which now appears to be disabled).

Initial analysis by the company reveals that it is a recently modified version of the malicious Moserware.dll, which attempts to use an alternate site to retrieve payload when downloaded. Click Studios is still analysing this payload file.”

Let me remind you that we wrote that Hacked Oxford server was used for phishing attacks on Office 365, and that Attackers could exploit the vulnerabilities of Alexa and Google Home to phishing and spying on their users.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button