Scammers have found an easy way to steal the master passwords of LastPass users.
Users of the LastPass password manager were targeted in a convincing phishing campaign, in which attackers used a combination of calls, email, and SMS to obtain master passwords from their accounts. The attack was reported by company representatives.
The campaign used the CryptoChameleon phishing kit, which specializes in cryptocurrency accounts, which was discovered in February by Lookout specialists. The toolset includes well-designed URLs, fake login pages, and tools for making calls and sending messages.
Phishing email
On April 15 and 16, attacks on LastPass customers were actively conducted, and the fake site was closed on April 16.
To protect against such attacks, LastPass advises you to always contact the support service via official contacts after a suspicious call or message, and also reminds you that you can not share your master password with anyone.
Users of the LastPass password manager were targeted in a convincing phishing campaign, in which attackers used a combination of calls, email, and SMS to obtain master passwords from their accounts. The attack was reported by company representatives.
The campaign used the CryptoChameleon phishing kit, which specializes in cryptocurrency accounts, which was discovered in February by Lookout specialists. The toolset includes well-designed URLs, fake login pages, and tools for making calls and sending messages.
- The LastPass client receives a call from the number 888 with a message about accessing the account from a new device. The user is prompted to click on the number "1" to allow access, or "2" to block it.
- After access is denied, the subscriber is informed that a support service representative will soon call them to "close the application". Then, on behalf of a LastPass employee, a phishing email is sent to the victim with an abbreviated link to the fake site.
- If the victim enters their master password on a phishing site, the scammer attempts to log in to their LastPass account and change the settings to block the victim's access and gain control of the account. A cybercriminal's actions here may include changing the primary phone number and email address, as well as the master password itself.
Phishing email
On April 15 and 16, attacks on LastPass customers were actively conducted, and the fake site was closed on April 16.
To protect against such attacks, LastPass advises you to always contact the support service via official contacts after a suspicious call or message, and also reminds you that you can not share your master password with anyone.
