Two sentences: CryptoChameleon’s phishing-as-a-service kit was used to target LastPass users with a multi-channel social engineering campaign designed to steal master passwords and take over accounts. The operation spoofed services like FCC, Coinbase, Okta, iCloud, and Outlook, and included real-time admin support to bypass MFA in some cases. #CryptoChameleon #LastPass #FCC #Coinbase #Okta #iCloud #Outlook
Keypoints
- The phishing campaign leveraged CryptoChameleon, a phishing-as-a-service kit discovered by Lookout, to spoof multiple high-value services including LastPass.
- Attackers used a multi-channel approach: phone calls, emails, and SMS to convince targets and exploit real-time interactions on fake sites.
- The phishing site and communications included high-quality elements (fake SSO pages, captcha, real-time abuse) to appear legitimate and defeat automated analysis.
- Targets included LastPass, FCC, Coinbase, Okta, iCloud, and Outlook, among other services, with data like emails, passwords, OTP tokens, and password-reset URLs collected.
- In the campaign, threat actors attempted to log into compromised LastPass accounts and modify settings to lock out the real user, sometimes bypassing MFA.
- Researchers note the majority of login data originated from mobile devices (iOS/Android), and calls often used American-accented actors with professional demeanor.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Attackers used a phishing email with a shortened URL to send targets to the ‘help-lastpass[.]com’ site designed to steal the user’s credentials. “phishing email with a shortened URL that will send them to the ‘help-lastpass[.]com’ site designed to steal the user’s credentials.”
- [T1078] Valid Accounts – If credentials are entered, the attacker attempts to log in to the LastPass account and change settings within the account to lock out the authentic user. “If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account.”
- [T1098] Account Manipulation – Attackers changed critical account details (primary phone, email, master password) to lock out the user. “These changes may include changing the primary phone number and email address as well as the master password itself.”
- [T1556] Modify Authentication – The service can bypass multi-factor authentication when a target uses MFA, enabling access despite MFA protections. “The end-to-end service can also bypass multi-factor authentication in the event a target is using the protection.”
Indicators of Compromise
- [Domain] help-lastpass[.]com – phishing site used to steal credentials
- [URL] shortened phishing URL – directs targets to the phishing site (redacted/unspecified in article)
- [Phone] 888 – used to initiate contact and guide targets through the scam (spoofed numbers in calls)