LastPass users on Android and other platforms are targets of a phishing campaign combining fake customer service calls with cleverly designed emails featuring the company’s branding to steal their master passwords. This multi-layered attack exploits social engineering tactics to trick victims into handing over the keys to their password vault, potentially compromising all their online accounts.
The phishing scheme, recently disclosed by LastPass, leverages a notorious phishing kit known as CryptoChameleon. This kit allows cybercriminals to easily create fake login pages that mimic legitimate services, like LastPass, in a deceptive attempt to steal login credentials.
From deceptive phone calls to fake emails
The attack unfolds in a series of calculated steps designed to create panic and pressure victims into making rash decisions. The initial act involves a phone call, supposedly from LastPass support. The caller informs the victim that their account has been accessed from an unrecognized device. To heighten the sense of urgency, the caller instructs the victim to press a specific number on their phone keypad. This is to either allow or block the supposed unauthorized access.
You can choose to block the access. But the charade continues with the caller promising a follow-up call from a “customer representative” to resolve the issue. This second call, however, comes from a spoofed number, masking the true identity of the attacker. Posing as a legitimate LastPass employee, the scammer then sends a seemingly official email containing a link to “reset” your account. The urgency created by the phone calls, coupled with the official-looking email, can easily trick even savvy users into believing their account is genuinely compromised. Clicking on the link in the email leads the victim to a cleverly designed phishing website – a near-perfect replica complete with the LastPass branding and login page. Unaware of the deception, the victim may enter their master password in an attempt to regain control of their account.
Once the master password is entered on the fake login page, the attacker gains full access to the victim’s LastPass vault. This grants them the ability to not only steal all the stored usernames and passwords. But also potentially change critical account information such as email addresses and phone numbers. With this level of access, attackers can hijack the victim’s online accounts, wreak financial havoc, and even impersonate the victim to target their social circles.
LastPass is not the only CryptoChameleon victim
CryptoChameleon has been used to target a wider range of online services beyond LastPass. Security researchers at Lookout discovered that phishing campaigns using the kit impersonated popular platforms like Binance and Coinbase. Not even social media giants like X and Facebook are spared. This indicates a broader campaign by cybercriminals aiming to steal login credentials across various online services.
LastPass, upon discovering the phishing campaign targeting its users, took swift action to mitigate the damage. The company has taken down the fraudulent website used by the attackers to steal credentials. Additionally, LastPass is actively informing its user base about the phishing scheme, urging them to be wary of suspicious calls, texts, and emails, including those with the company’s official branding.
The shadow of past breaches looms large
The recent phishing campaign targeting LastPass users comes at a particularly sensitive time for the password management company. LastPass acknowledged facing a data security incident in 2022, where hackers gained access to portions of its customer data. Sure, LastPass claimed that the master passwords remained secure. However, this prior breach has undoubtedly eroded user trust and heightened anxieties surrounding the safety of their passwords.
To stay safe, LastPass is emphasizing a crucial point. Legitimate customer support representatives will never ask for your master password. If you receive a call, text, or email claiming to be from LastPass and urging immediate action, especially one involving your master password, it’s a red flag. Do not click on any links. Also, hang up the phone immediately, and report the suspicious communication directly to LastPass at [email protected].
Remember, your master password is the cornerstone of your online security. You must remain vigilant and adopt a healthy dose of skepticism towards unsolicited communication. This way, you can significantly reduce the risk of falling victim to these cunning phishing attempts.
