In a recent phishing campaign, LastPass users are being targeted by cybercriminals. The campaign involves fraudulent sites prompting users to reset their accounts. LastPass has alerted its users about the misuse of its branding by fraudsters involved in crypto thefts. The phishing campaign is linked to the CryptoChameleon phishing kit, previously noted for targeting cryptocurrency platforms and the Federal Communications Commission.
A phishing kit is a tool used by malicious actors to create fake login pages that resemble legitimate sites, complete with branding elements to deceive victims into giving up their credentials. Victims are often directed to these fake sites through phishing emails, SMS messages, or phone calls.
LastPass identified a suspicious domain, help-lastpass[.]com, used in the phishing campaign against its customers. The company took action with its vendor to shut down the site. The phishing tactic involves scammers calling LastPass customers from an ‘888’ number, claiming their account has been accessed from a new device. They instruct users to press “1” to allow access or “2” to block it. If users press “2”, they receive a call from someone pretending to be a LastPass employee, sending an email to reset account access.
The phishing site, help-lastpass[.]com, is designed to steal users’ credentials. If users enter their master password on the site, the malicious actor tries to access the LastPass account and modify its settings, taking control of the account. While the initial phishing site has been taken down, the phishing kit still uses LastPass branding, prompting caution among LastPass users.
This is not the first instance of LastPass being targeted by fraudsters. Recently, the company faced a deepfake call impersonating its CEO. An employee received calls, texts, and voicemails featuring an audio deepfake from a threat actor impersonating LastPass CEO, Karim Toubba, on WhatsApp.
LastPass users are advised to be cautious of any unsolicited communications claiming to be from LastPass. It is important to verify the authenticity of such communications through official channels. Cybersecurity experts recommend using two-factor authentication and being vigilant against phishing attempts.
