LastPass has issued an alert to its users about a sophisticated phishing scam designed to steal their credentials and take over their accounts. This scam uses the CryptoChameleon phishing kit, notorious for its association with cryptocurrency thefts.
The Rise of CryptoChameleon
CryptoChameleon first came to prominence earlier this year when it was used to target employees at the Federal Communications Commission (FCC) with deceptive pages mimicking Okta single sign-on (SSO) interfaces.
The phishing kit has been linked to attacks on major cryptocurrency platforms including Binance, Coinbase, Kraken, and Gemini. It cleverly replicates login pages for popular services such as Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL to trick users into entering their credentials.
Recently, researchers from Lookout, a mobile security firm, have discovered that LastPass was added to the list of services targeted by this phishing kit. The attackers set up a fake website at “help-lastpass[.]com” to lure unsuspecting users.
How the Scam Works
Initial Contact and Phishing Attempt
Victims receive a phone call from a toll-free 888 number warning them of unauthorized activity in their LastPass accounts. They are asked to press “1” to block the suspicious activity or “2” to ignore the warning. Those who respond to block the access are promised a follow-up call to resolve the issue.
Follow-Up Call and Email Phishing
A second call follows from a number that appears to be from LastPass. During this call, the victim receives a phishing email purportedly from “support@lastpass.com” containing a link to the fraudulent website. If they enter their master password on this site, the scammer can potentially lock the legitimate user out of their account.
LastPass phishing email (Source: LastPass)
The deceptive website has since been taken down, but the threat remains active as criminals continue to create new domains to support their malicious activities.
How to Protect Yourself
It is crucial for users of any online service to stay vigilant against such phishing attempts. Here are some tips to help safeguard your accounts:
- Always verify the source of communication as genuine companies never ask for sensitive information such as passwords or PINs over the phone or via email.
- Look out for warning signs in emails, such as generic greetings, spelling mistakes, and shortened URLs. The subject line “We’re here for you” and shortened links are common indicators of phishing attempts related to this campaign.
- Never share your master password as it is the key to all your sensitive information. Always keep this information to yourself to prevent unauthorized access to your account.
Note: If you suspect any fraudulent activity, contact LastPass immediately at abuse@lastpass.com to report the incident.
Final Word
Vigilance is key when it comes to protecting yourself from sophisticated phishing attacks like those targeting LastPass users. Always verify sources and safeguard your credentials to prevent unauthorized access to your sensitive information.
Anas Hasan
April 19, 2024
2 weeks ago
