Umkhankaso oqhubekayo, oyinkimbinkimbi kakhulu wobugebengu bokweba imininingwane ebucayi kungenzeka uholele abanye abasebenzisi be-LastPass ukuthi bayeke amaphasiwedi abo abaluleke kakhulu kubageli.

Abaphathi bamagama-mfihlo bagcina wonke amagama ayimfihlo omsebenzisi - ku-Instagram, umsebenzi wabo, nakho konke okuphakathi - endaweni eyodwa, kuvikelwe igama-mfihlo elilodwa "eliyinhloko". Ikhulula abasebenzisi ekukhumbuleni izifakazelo zamakhulu ama-akhawunti, futhi ibanikeze amandla okusebenzisa amagama ayimfihlo ayinkimbinkimbi, ahlukile ku-akhawunti ngayinye. Ngakolunye uhlangothi, uma umlingisi osongelayo ithola ukufinyelela ku-master password, bazoba nokhiye bawo wonke ama-akhawunti angaphakathi.

Faka I-CryptoChameleon, ikhithi entsha yobugebengu bokweba imininingwane ebucayi yamaqiniso angenakuqhathaniswa. 

Ukuhlaselwa kwe-CryptoChameleon kuvame ukusabalala kangako, kodwa kuyaphumelela kusiqeshana esingabonakali kakhulu emhlabeni wonke wobugebengu bamakhompuyutha, “yingakho sibona lokhu kuhloswe kwamabhizinisi nokunye okuhloswe ngenani eliphezulu kakhulu,” kuchaza uDavid Richardson, iphini likamongameli we ubuhlakani bosongo e-Lookout, eyaqala ukuhlonza futhi yabika umkhankaso wakamuva ku-LastPass. "I-vault ye-password isandiso semvelo, ngoba kusobala ukuthi uzokwazi ukwenza imali ngalokho ekupheleni kosuku."

Kuze kube manje, i-CryptoChameleon ikwazile ukubamba okungenani amakhasimende ayisishiyagalombili e-LastPass - kodwa cishe ngaphezulu - okungenzeka adalule amagama awo ayimfihlo ayimfihlo.

Umlando omfushane we-CryptoChameleon

Ekuqaleni, i-CryptoChameleon yayibukeka njenganoma iyiphi enye ikhithi yobugebengu bokweba imininingwane ebucayi.

Abaphathi bayo babekhona kusukela ngasekupheleni konyaka odlule. NgoJanuwari, baqala ngokukhomba ukuhwebelana kwe-cryptocurrency Coinbase noBinance. Lokhu kukhomba kwasekuqaleni, kanye nesethi yayo yamathuluzi enziwa ngendlela oyifisayo kakhulu, kuzuze igama layo.

Isithombe sishintshile ngoFebhruwari, nokho, lapho babhalisa isizinda fcc-okta[.]com, belingisa ikhasi le-Okta Single Sign On (SSO) eliyingxenye ye-US's Federal Communications Commission (FCC). “Lokho kungazelelwe kwenze lokhu kukhuphuka kusuka kwenye yezinsiza eziningi zobugebengu bokweba imininingwane ebucayi esizibona laphaya, kuya kokuthile okuzogxila ekuqondiseni ibhizinisi, kulandela iziqinisekiso zebhizinisi,” kukhumbula u-Richardson.

URichardson ukuqinisekisile ku-Dark Reading ukuthi abasebenzi be-FCC bathikamezekile, kodwa akakwazanga ukusho ukuthi bangaki noma ukuthi ukuhlaselwa kuholele emiphumeleni ethile kule nhlangano. Kwaba ukuhlasela okuyinkimbinkimbi, uphawula, ukuthi ulindele ukuthi usebenze ngisho nakubasebenzi abaqeqeshiwe.

Inkinga nge-CryptoChameleon kwakungekona nje ukuthi yayiqondise bani, kodwa ukuthi yenza kahle kangakanani ekunqobeni. Iqhinga layo laliphelele, linesineke, lisebenzisana nezisulu.

Ngokwesibonelo, cabanga, umkhankaso wamanje ngokumelene LastPass.

Ukweba LastPass Master Passwords

Iqala lapho ikhasimende lithola ucingo oluvela enombolweni ethi 888. Oshaya ucingo lwe-robo wazisa ikhasimende ukuthi i-akhawunti yalo ifinyelelwe kusukela kudivayisi entsha. Ibe isibatshela ukuthi bacindezele okuthi “1” ukuze bavumele ukufinyelela, noma “2” ukuze bakuvimbe. Ngemva kokucindezela u-“2,” batshelwa ukuthi bazothola ucingo maduze oluvela komele isevisi yamakhasimende ukuze “bavale ithikithi.”

Bese kungena ucingo. Umamukeli engazi, lusuka enombolweni eyinkohliso. Ngakolunye uhlangothi lomugqa ngumuntu ophilayo, ngokuvamile onesisho saseMelika. Ezinye izisulu ze-CryptoChameleon nazo zibike ukuthi zikhulume nama-agent aseBrithani.

“I-ejenti inamakhono okuxhumana esikhungo sezingcingo, futhi inikeza iseluleko esihle ngempela,” kukhumbula uRichardson ezingxoxweni zakhe eziningi nezisulu. Ngakho-ke, ngokwesibonelo, bangase bathi: 'Ngifuna ungibhalele le nombolo yocingo yokungisekela.' Futhi benza izisulu zibhale phansi inombolo yocingo yosekelo lwangempela yanoma ubani abazenza ongeyena. Bese bebanika isifundo sonke: 'Sishayele ngale nombolo kuphela.' Ngibe nombiko oyisisulu owathi empeleni, 'Ngezinjongo zekhwalithi nokuqeqeshwa, le kholi iyarekhodwa.' Basebenzisa umbhalo ophelele wezingcingo, yonke into ongayicabanga ukwenza umuntu akholwe ukuthi ukhuluma ngempela nale nkampani njengamanje. "

Lo menzeli wosekelo wazisa umsebenzisi ukuthi uzothumela i-imeyili maduze, okuvumela umsebenzisi ukuthi asethe kabusha ukufinyelela ku-akhawunti yakhe. Eqinisweni, lena i-imeyili enonya equkethe i-URL efushanisiwe, ebaqondisa kusayithi lobugebengu bokweba imininingwane ebucayi.

I-ejenti yosekelo ewusizo ibuka ngesikhathi sangempela njengoba umsebenzisi efaka iphasiwedi yakhe eyinhloko kusayithi le-copycat. Bese beyisebenzisa ukuze bangene ku-akhawunti yabo, bese beshintsha ngokushesha inombolo yocingo eyinhloko, ikheli le-imeyili, kanye nephasiwedi eyinhloko, ngaleyo ndlela bakhiyele isisulu ngaphandle kokuhle.

Ngaso sonke leso sikhathi, u-Richardson uthi, “Ababoni ukuthi kuwumkhonyovu—asikho nesisodwa izisulu engikhulume nazo. Omunye wathi, 'Angicabangi ukuthi ngike ngafaka igama lami eliyimfihlo lapho.' [Ngabatshela] 'Uchithe imizuzu engu-23 ocingweni nalaba bafana. Cishe ukwenzile.'”

Umonakalo

I-LastPass ivale isizinda esisolisayo esisetshenziswe ekuhlaseleni — help-lastpass[.]com — ngemva nje kokuba bukhoma. Abahlaseli bebelokhu bephikelela, nokho, beqhubeka nomsebenzi wabo ngaphansi kwekheli le-IP elisha.

Ngokubonakala ezinhlelweni zangaphakathi zabahlaseli, u-Richardson ukwazile ukuhlonza okungenani izisulu eziyisishiyagalombili. Uphinde wanikeza ubufakazi (ukufunda Okumnyama okugcina kuyimfihlo) okubonisa ukuthi kungenzeka kube nokungaphezu kwalokho.

Lapho ecelwa ulwazi olwengeziwe, umhlaziyi wezobunhloli omkhulu wakwaLastPass uMike Kosak utshele i-Dark Reading, “Asidaluli imininingwane ngenani lamakhasimende athintwe yilolu hlobo lomkhankaso, kodwa seseka noma yiliphi ikhasimende okungenzeka libe yisisulu salokhu nokunye. imikhonyovu. Sikhuthaza abantu ukuthi babike imikhonyovu yobugebengu bokweba imininingwane ebucayi kanye neminye imisebenzi engcolile bezenza i-LastPass kithi kokuthi [i-imeyili ivikelwe]. "

Ingabe Kukhona Ukuzivikela?

Ngenxa yokuthi abahlaseli be-CryptoChameleon abasebenzisa izandla bakhuluma izisulu zabo nganoma yiziphi izithiyo ezingaba khona zokuphepha ezifana nokuqinisekiswa kwe-multifactor (MFA), ukuzivikela kuzo kuqala ngokuqwashisa.

"Abantu kumele bazi ukuthi abahlaseli bangazikhohlisa izinombolo zocingo - ukuthi ngenxa yokuthi inombolo engu-800 noma 888 ikushayela, akusho ukuthi isemthethweni," kusho uRichardson, enezela ngokuthi "ngenxa nje yokuthi kukhona umMelika ngakolunye uhlangothi. ulayini nawo awusho ukuthi usemthethweni.”

Empeleni uthi, “Ungaluphenduli ucingo oluvela kubantu abafonayo. Ngiyazi ukuthi lokho kuyiqiniso elidabukisayo lezwe esiphila kulo namuhla.”

Naphezu kwakho konke ukuqwashisa nezinyathelo zokuphepha ezaziwa ngabasebenzisi bebhizinisi nabathengi, nakuba, ukuhlasela kobunjiniyela bomphakathi okuyinkimbinkimbi kungase kuqhubeke.

“Esinye sezisulu ze-CryptoChameleon engakhuluma naye kwakunguchwepheshe we-IT osewathatha umhlalaphansi,” kukhumbula uRichardson. Wathi, 'Sengiziqeqeshe impilo yami yonke ukuthi ngingawi kulolu hlobo lokuhlaselwa. Ngandlela thize ngakuthanda'.

I-LastPass icele i-Dark Reading ukuthi ikhumbuze amakhasimende ngokulandelayo:

• I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
• I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
• I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
• I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
• I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
• Source: https://www.darkreading.com/cyberattacks-data-breaches/lastpass-users-lose-master-passwords-ultra-convincing-scam