Let’s start with some background
Everyone has heard about phishing, maybe even from us. And everyone who has an active email (or cell phone, or home phone) has been the target of a phishing campaign. Even if you think you haven’t been, you have. For just as countless people are continually trying to trick the unwary into divulging important information, security teams are working around the clock to identify and stop these attacks. A lot of this work goes unnoticed:
- Email providers constantly identify and block suspicious accounts.
- Domain hosting companies have whole departments dedicated to keeping bad actors from using their services (and shutting them down when they do).
- Spam filters isolate suspicious messages.
- Companies scan attachments and links to keep their critical systems safe.
Unfortunately, the cost of running a phishing campaign is so low, and the potential rewards are so high, that phishing is part of the landscape of our digital lives. But there is one defense no hacker can overcome: the individual who refuses to engage with their message. If you don’t answer the call from “Scam Likely,” you won’t be a victim of (that) scam. If you don’t click on the email that is only a link sent to you by the college roommate you haven’t spoken to in three years, that virus won’t be installed on your computer.
But those are obvious examples, and most phishing campaigns are more polished. While many are directed at companies (if a phishing email gets through corporate defenses and even one employee clicks on it, the company’s entire network could be compromised), some are directed at individuals. Very often, these come disguised as emails from a company asking for users to “verify their account information” or something similar. They often include a link to a page that looks a lot like (or identical to) the sign-in page for the company that appears to have sent the email. But it isn’t. It’s a copy designed to trick you into voluntarily handing over your credentials to criminals who will either exploit that information themselves, sell it on the dark web, or both.
Casting for Dashlane users
Phishing campaigns often focus on “high value” targets. For example, banking credentials are obviously worth more than those for a streaming service. For obvious reasons, credentials for a password manager are of very high value indeed. With one credential, an attacker can theoretically access all of a target’s passwords. For this reason, we (and a vast majority of sites that allow access to sensitive information of any description) use email verification, authenticated devices, and other means to ensure that someone requesting access to a particular account is authorized to do so. Even if an attacker got your Dashlane ID and master password, they would also have to have access to your email inbox to access the information you store with us.
In the early hours of November 5, 2021, our user support agents started receiving reports of an email that “we” had sent asking users to verify their credentials to “avoid deactivation of certain features”:
This is a fairly sophisticated phishing email. The people behind it copied graphics from our site and emulated the tone of our customer communications. The use of “informations” on the button is about the only clear red flag in the message itself. If you did click that button, you were taken (initially at least—after we started actively blocking these efforts, the attackers got frustrated and started redirecting people to a porn site) to the following page, at least if you were in France:
Again, this is a good rip-off of our actual site, and a quick glance at the URL shows that it comes from an address that at least seems to be associated with us: app.auth-dashlane.com. But we do not own that site, or any of the other dozen or so sites with the word “Dashlane” in them that were registered shortly before these emails were first sent out. And there is no way for us to defensively purchase every domain name including “Dashlane” or prevent others from doing so. What we do, and what helped tip us off to this campaign, is monitor any registrations of domain names that include “Dashlane.”
So, who got this email? As of now, only a few dozen Dashlane users have reported receiving this or similar communications, and we have no indication that any account was compromised. This is partly because, like many phishing campaigns, it started with a random list of emails, not a collection of known Dashlane users. There was no breach that allowed the attackers to get the emails; they were sifting through large lists of random addresses hoping to land on Dashlane users.
We also became aware of the attack early, and immediately reached out to the domain registrars, hosting companies, and others whose services the attackers used to shut them down. But there are hundreds of such service providers, and it can be a bit like playing “whack-a-mole,” so we also put a notice of the event on our status page and informed our customer support team so that agents would be able to advise any Dashlane users who reached out. Of course, we continue to hit every mole that pops up, and, as of this writing, the attack seems to have largely subsided. Hopefully, the attackers will eventually turn their attention to another target, but there are always other attackers ready to take their turn.
Keeping phishers at bay
As we did in the current instance, we will keep monitoring for suspicious activity that might affect Dashlane and our users, and we will take aggressive steps to stop any incident that we are aware of. We also continue to invest in efforts to make our service safer, more secure, and more resilient. But when it comes to phishing, the most important thing to do is not bite. Even if the integrity of your Dashlane, banking, or other account is protected by 2-factor authentication or other means, you never want to give the bad guys any information. There is a reason that almost every email you get from your bank, cell phone provider, and countless other companies says something like “We will never ask for your password or account information in an email.” The reason is simple: If you want to keep your customers from being phished, don’t act like a phisher. So please remember this:
Dashlane will never ask for your credentials or account information in an email.
The only place you should ever enter your Master Password or login information is on the login page or screen of our services that you have navigated to yourself. In some cases, our agents may ask for certain information (like an email or the last four digits of a credit card) in response to a user-initiated request to the support team, but no one at Dashlane will ever ask you for your master password.
You can read more about how a password manager helps you avoid phishing.