LastPass has issued a warning about a sophisticated phishing campaign by the threat group CryptoChameleon, targeting users with fake inheritance requests to steal credentials and passkeys. This campaign involves fake legacy access emails and fraudulent domains designed to harvest sensitive information, including passkeys and master passwords. #CryptoChameleon #Passkeys
Keypoints
- CryptoChameleon is the primary threat actor behind the recent LastPass phishing campaign.
- The attackers use fake inheritance request emails to trick users into revealing credentials.
- Phishing domains like mypasskey.info and passkeysetup.com target passkey-based authentication systems.
- LastPass users are at risk of credential theft and passkey compromise through these schemes.
- The campaign is an evolution of previous attacks, now more extensive and targeting passwordless authentication.