A cybercriminal group has managed to leverage email alerts, sent to notify users of an available update, in order to infect databases with malware.

The software update feature of the Passwordstate password manager was infiltrated to attack enterprise users of the password manager solution. The supply chain attack also successfully targets account holders with malware known as Moserpass at different points from April 20 to April 22.

Anyone who sought to avail of an update using the In-Pass Upgrade mechanism was potentially in receipt of the  malicious file downloaded titled Passwordstate_upgrade.zip file.

If the file was installed then it will kick off a chain of events allowing Moserpass to become active and gathering valuable information to any linked device or network in tandem with password data from the Passwordstate app. The malware also had a loader feature which may allow for the download of other malware strains onto victims’ devices. Due to the fact that passwords may have been stolen, impacted have been warned to change all of their passwords.

While the cyberattack was mitigated in less that 30 hours device users were issued to a request from Click Studios, the developer of the password app, to apply a hotfix to remove the malware from their systems. Sadly, having discovered the requests being shared via social media platforms, the hackers shared an identical email to conduct a phishing campaign who provided a link to a website that they controlled. As opposed to a fix to remove the Moserpass malware, an updated version of Moserpass malware was shared to anyone unfortunate enough to fall for the scam.

The email were, naturally enough, extremely realistic and recipients who followed the instructions in the email would likely think they were removing malware, when they were actually downloading it. The fake versions of the emails do not include a domain suffix used by Click Studios, request the hotfix is installed from a subdomain, and claim an ‘urgent’ update is necessary toto fix a bug, but it is easy to see how these messages could trick end users.

Click Studios provided password management services for approximately 29,000 companies and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be worried about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and implemented the download as directed.

It is a common tactic of cybercriminals to attempt and leverage fake security warnings to conduct attack, and data breach notifications are perfect to deploy in phishing attacks. This Passswordstate breach notification phishing campaign shows how crucial it is to double check every message for any indication of phishing, even if the email content appears to be authentic and the message includes what looks like the proper logos etc., and the dangers of posting copies of genuine breach notification letters on social media networks.

Many phishing attacks are complex by their nature, and it can be trciky for email recipients to spot that what is genuine and what is malicious. This is why your group requires an advanced spam and phishing security solution. If you want the best defenses against phishing, contact TitanHQ now and see how SpamTitan Email Security can enhance your security and keep your organization safe from phishing and other email-based attacks.