Lastpass warns of convincing phishing campaign
In the USA, criminals are going to extremes and trying very convincingly to steal the master password from Lastpass users.
Lastpass warns of a current phishing scam.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
CryptoChameleon is the name of the phishing kit that criminals are currently using to target Lastpass users. An apparently very convincing phishing scam is designed to trick potential victims into revealing their master password.
Lastpass now warns of this phishing campaign in a blog post. CryptoChameleon is also used to attack other services such as crypto wallets and exchanges, single sign-on services and email providers, as reported by the IT security researchers at Lookout. Specifically, the website help-lastpass[.]com concealed one such trap.
Multi-stage phishing campaign targeting Lastpass users
The phishing-as-a-service offer enables the attackers to simply forge single sign-on or login pages and equip them with the associated trademarks such as brand logos and graphics. In this way, they try to capture access data from victims, which they can either use directly themselves or sell on. Victims are directed to the wrong sites by phishing emails, SMS messages (smishing) or telephone calls (vishing).
The website in question was initially parked, whereupon Lastpass put it under observation to see whether it would go online and deliver a phishing page similar to that of Lastpass or something similar. When the page went online, the company worked with its provider and took the site offline.
During the phishing campaign, Lastpass observed that customers were receiving calls from a number starting with 888 - which is how toll-free numbers begin in the US, similar to the 0800 area code here. The callers claimed that the account was being accessed from another device and that pressing "1" would allow access and "2" would block it. If a victim dialed "2", they were told that a call from a customer service representative would be made shortly to close the ticket.
The victim then receives a call from a fake number from someone claiming to be a Lastpass employee. They typically have a US accent. The caller sends the recipient an email claiming to reset the password on the account. In reality, however, it is a URL shortened and encrypted address, help-lastpass[.]com. It was designed to steal the access data.
Once recipients enter their master password, the perpetrators attempt to log into the Lastpass account and change the settings to lock the regular owner out of the account. This includes changing the phone number and email address, as well as the master password itself.
Phishing wave still rolling
Despite the measures taken against the URL mentioned above, the phishing wave is still going strong, explains Lastpass. Users should therefore protect themselves by hanging up on suspicious calls immediately and then sending an email with detailed information to abuse@lastpass.com. They should also send screenshots of suspicious text messages or forward potentially malicious emails with attachments to this address. Lastpass points out that the company never asks for the master password.
Lastpass users are repeatedly the focus of cybercriminals. Users in the DACH region should also carefully check whether such emails or text messages are genuine.
At the beginning of the year, Lastpass issued recommendations to increase user security. These include longer master passwords, dark web verification and restarting multifactor authentication (MFA). Last year, attackers copied MFA keys, among other things, during a breach at Lastpass.
(dmk)