Phishers Target Users Affected by the Passwordstate Hack
Last week, cybersecurity experts reported that the Australian company Click Studios notified its customers of the hack, and now phishers target users of the company’s Passwordstate password manager.Passwordstate is a local password management solution that, according to official developer statistics, is used by over 370,000 information security and IT professionals in 29,000 companies around the world.
The letter received by all Passwordstate client companies stated that the incident occurred between April 20 and 22, 2021. The company suffered from a supply chain attack: attackers distributed a malicious update to Passwordstate users and eventually infected their machines with Moserware malware.
Unfortunately, this malware managed to transfer the following user data to the criminals’ server: computer name, username, domain name, current process name, current process ID, name and ID of all running processes, names of all running services, display name and status, Passwordstate’s proxy server address, username and password.
That is, the Passwordstate password store was compromised, and the developers wrote that usually the password table contains a header, username, description, GenericField1, GenericField2, GenericField3, notes, URL and the password itself.
After reporting the incident, Click Studios has been providing assistance to victims by mail, helping customers with patches designed to remove malware from their systems. Since these letters from Click Studios could be found on social networks, cybercriminals did not hesitate to take advantage of them.
The hackers created phishing copies of Click Studios’ messages and started sending them to some affected clients, thus promoting the Moserpass malware.
“Apparently, attackers are actively monitoring social networks in search of any information about hacking and exploitation. It is important that customers do not post information on social networks that could be used by hackers. This is exactly what happened before the advent of phishing emails that copy the contents of Click Studios emails. If you are not sure that the letter came from us, send it to the technical support service as an attachment”, – the company representatives warn in a new message.
According to Click Studios, the phishing attack relies on clients downloading a modified Moserware.zip patch file from a CDN not controlled by Click Studios (which now appears to be disabled).
Initial analysis by the company reveals that it is a recently modified version of the malicious Moserware.dll, which attempts to use an alternate site to retrieve payload when downloaded. Click Studios is still analysing this payload file.”
Let me remind you that we wrote that Hacked Oxford server was used for phishing attacks on Office 365, and that Attackers could exploit the vulnerabilities of Alexa and Google Home to phishing and spying on their users.