Cybercriminals pose as LastPass staff to hack password vaults

Summary: LastPass users are being targeted by a malicious campaign using the CryptoChameleon phishing kit, which is associated with cryptocurrency theft.

Threat Actor: CryptoChameleon | CryptoChameleon
Victim: LastPass users | LastPass

Key Point :

  • LastPass users are being targeted by a malicious campaign using the CryptoChameleon phishing kit.
  • The campaign involves social engineering techniques, including phone calls and phishing emails, to trick users into providing their master password and gaining unauthorized access to their accounts.
  • The phishing kit has previously targeted other platforms, including cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini.
  • LastPass has discovered that its service was recently added to the CryptoChameleon kit and warns users to be cautious of suspicious communication claiming to come from LastPass.
  • Users should report any suspicious attempts to LastPass and should never share their master password with anyone.

Cybercriminals pose as LastPass staff to hack password vaults

LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.

CryptoChameleon is an advanced phishing kit that was spotted earlier this year, targeting Federal Communications Commission (FCC) employees using custom-crafted Okta single sign-on (SSO) pages.

According to researchers at mobile security company Lookout, campaigns using this phishing kit also targeted cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini, using pages that impersonated Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.

During its investigations, LastPass discovered that its service was recently added to the CryptoChameleon kit, and a phishing site was hosted at at the “help-lastpass[.]com” domain.

The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access.

Below are the tactics LastPass observed in this campaign:

  1. Victims receive a call from an 888 number claiming unauthorized access to their LastPass account and are prompted to allow or block the access by pressing “1” or “2”.
  2. If they choose to block the access, they’re told they will get a follow-up call to resolve the issue.
  3. A second call comes from a spoofed number, where the caller, posing as a LastPass employee, sends a phishing email from “support@lastpass” with a link to the fake LastPass site.
  4. Entering the master password on this site allows the attacker to change account settings and lock out the legitimate user.

The malicious website is now offline but it is very likely that other campaigns will follow and threat actors will rely on new domains.

Users of the popular password management service are recommended to beware of suspicious phone calls, messages, or emails claiming to come from LastPass and urging immediate action.

Some indicators of suspicious communication from this campaign include emails with the subject “We’re here for you” and the use of a shortened URL service for links in the message. Users should report these attempts to LastPass at abuse@lastpass.com.

Regardless of the sevice, the master password should not be shared with anyone since it is the key to all your sensitive information.

Source: https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastpass-staff-to-hack-password-vaults/


“An interesting youtube video that may be related to the article above”