cancel
Showing results for 
Search instead for 
Did you mean: 
New Contributor

Your LogMeIn.com SSL certificate has been suspended!

Some users at our company have received e-mails with the above Subject line.  The links within the e-mail appear to be bogus and do not actually point to LogMeIn web addresses.  We're wondering what this is, how our e-mail addresses were acquired by the sender, and what (if anything) we should do about it?

 

Thanks for your attention,

 

 

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Retired LogMeIn Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

We are examining this issue at this time.

 

EDIT::  It has been discovered that even users that do not have an account with us are receiving this email.  This appears to be a pure phishing attempt.

 

It goes without saying, but please do not click the links within.

Sean Keough
Product Specialist, LogMeIn Support
6 REPLIES
Highlighted
Retired LogMeIn Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

We are examining this issue at this time.

 

EDIT::  It has been discovered that even users that do not have an account with us are receiving this email.  This appears to be a pure phishing attempt.

 

It goes without saying, but please do not click the links within.

Sean Keough
Product Specialist, LogMeIn Support
New Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

Here are some of the email headers that I have done some investigating on for this issue posted.

 

Originating IP maps out to Germany, DomainFactory

 

One of the links / URL in the email translates to IP: 46.166.178.91 located in the UK.

The other link / URL in the email translates to IP: 64.202.163.4 GODADDY in California

 

Malware is tied to one of the links and what I experienced was a JAVA session in the browser getting fired. Our AV killed this Malware immediately from running.

I did not check the other one to see what will spawn from it.

 

 

Return-Path: <eduard_krieger@hotmail.de>

Received: from [216.82.241.211:5905] by server-12.bemta-8.messagelabs.com id

CE/CC-06988-B7B8EF05; Tue, 22 Jan 2013 12:52:11 +0000

X-Env-Sender: eduard_krieger@hotmail.de

X-Msg-Ref: server-9.tower-85.messagelabs.com!1358859129!34525498!1

X-Originating-IP: [80.67.28.160]

X-SpamReason: No, hits=1.8 required=7.0 tests=HTML_60_70,

  HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,ML_RADAR_SPEW_LINKS_18,

  spamassassin:

X-StarScan-Received:

X-StarScan-Version: 6.7; banners=-,-,-

X-VirusChecked: Checked

Received: (qmail 10352 invoked from network); 22 Jan 2013 12:52:10 -0000

Received: from charybdis.ispgateway.de (HELO charybdis.ispgateway.de)

(80.67.28.160)  by server-9.tower-85.messagelabs.com with SMTP; 22 Jan 2013

12:52:10 -0000

Received: (qmail 17828 invoked from network); 22 Jan 2013 12:51:49 -0000

Received: from unknown (HELO charybdis.ispgateway.de) (127.0.0.1)  by

localhost with SMTP; 22 Jan 2013 12:51:49 -0000

Received: (from u195401@localhost)      by charybdis.ispgateway.de

(8.14.4/8.13.6/Submit) id r0MCpWg0016765;      Tue, 22 Jan 2013 13:51:32 +0100

Date: Tue, 22 Jan 2013 13:51:32 +0100

Message-ID: <201301221251.r0MCpWg0016765@charybdis.ispgateway.de>

Subject: Your LogMeIn.com SSL certificate has been suspended!

X-DFOptimize: BUFfRE5PRAUbEx8eGht1ExodHBIFSEVNTUNEBE9fBUBGXgVZT0ROR08EWkJa

From: LogMeIn.com <support@logmein.com>

Reply-To: support@logmein.com

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

 

 

New Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

Our users are getting this email also.  The link seems to go to rabbit-rabbit.com where it offers a file to download. Obviously we havent done that!

New Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

 

Sean,

 

I just got a different phishing email going to a different website saying my account has been locked out.  ...and that I need to download a zip file to recover my account...  Let me know if you're interested to investigate further. 

 

Thanks,

 

David

dave5008@gmail.com

New Contributor

Re: Fake: Your LogMeIn.com SSL certificate has been suspended!

Just started another thread.  This is the 2nd time I've gotten it.  I made the mistake the 1st time of following the link and paid for it.

New Contributor

Re: Your LogMeIn.com SSL certificate has been suspended!

I have received an email titled: "Your LogMeIn digital certificate has expired!" 

 

Here is the message Body:

 

Dear LogMeIn customer,

This notification has been emailed to you because your LogMeIn.com SSL certificate has expired.
To continue using the LogMeIn services, you are required to update your digital certificate.
A new certificate has been generated for you.


The new LogMeIn SSL certificate can be downloaded from :

https://secure.logmein.com/download.asp&cert_id=49498201&userid=940281&type=SSL_Cert

According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation:
https://secure.logmein.com/policies/termsandconditions.aspx

 

 

Thank you for using LogMeIn Software

Copyright © 2003-2014 LogMeIn, Inc. All rights reserved.

 

Header Info:

Received: from exmf026-ca-5.domain.local (10.254.156.116) by
 HUB026-CA-6.exch026.domain.local (10.254.14.232) with Microsoft SMTP Server
 (TLS) id 14.3.174.1; Thu, 5 Jun 2014 10:05:04 -0700
Received: from localhost (localhost [127.0.0.1]) by
 smtp.exch026.serverdata.net (Postfix) with ESMTP id 6B040B5FC; Thu,  5 Jun
 2014 10:05:04 -0700 (PDT)
X-Relayed-From: 212.142.155.208
X-Relayed-From-Added: Yes
X-Virus-Scanned: by amavisd-new at exmf026-ca-5.domain.local
X-Spam-Flag: YES
X-Spam-Score: 20.899
X-Spam-Level: ********************
X-Spam-Status: Yes, score=20.899 tagged_above=-999 required=6
 tests=[CLOUDMARK=15, IM_RCVD_IN_BRBL=2, IM_RCVD_IN_LBBL=0.3,
 RCVD_IN_PSBL=1, SPF_FAIL=2.599]
Received: from exmf026-ca-5.domain.local ([127.0.0.1]) by localhost
 (exmf026-ca-5.domain.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
 id WPAGvzzVILds; Thu,  5 Jun 2014 10:05:04 -0700 (PDT)
Received: from 208.212-142-155.static.clientes.euskaltel.es
 (208.212-142-155.static.clientes.euskaltel.es [212.142.155.208]) by
 smtp.exch026.serverdata.net (Postfix) with ESMTP id A4003B5D2; Thu,  5 Jun
 2014 10:05:03 -0700 (PDT)
Message-ID: <XZS7U7N9.9239464@bollingershipyards.com>
Date: Thu, 5 Jun 2014 19:08:21 +0100
From: LogMeIn.com <security@logmein.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <john@efficientcomputerservice.com>
Subject: Your LogMeIn digital certificate has expired!
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-CMAE-Verdict: spam
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.0 cv=ZYtFrbpA c=1 sm=1 p=x7FCKscpr31yqxXEupsA:9
 a=1rQhE/vva1z3tQ6ALn1KiQ==:17 a=oVFiZj9fevMA:10 a=qxvBnSdKA8oA:10
 a=ntMFagInWIwA:10 a=8nJEP1OIZ-IA:10 a=LdAzdTdWAAAA:8 a=G3WlctkvAAAA:8
 a=3GbmggnxAAAA:8 a=gvmzwY4jAAAA:8 a=wPNLvfGTeEIA:10 a=_W_S_7VecoQA:10
 a=9SPrppUrSgIA:10 a=zEfRdDXvn-4A:10 a=XU-cCG2sKOsA:10
 a=1rQhE/vva1z3tQ6ALn1KiQ==:117
Return-Path: evkuwqepihlc@bollingershipyards.com
X-MS-Exchange-Organization-AuthSource: HUB026-CA-6.exch026.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 9

 

If you click on the Link above in the message body, it downloads a ZIP file called 'logmein_certif_ssl.zip' with the file 'logmein_certif_ssl.scr' inside.  I do not recommend clicking this file.