Cybercriminals pose as LastPass staff to hack password vaults

LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.

CryptoChameleon is an advanced phishing kit that was spotted earlier this year, targeting Federal Communications Commission (FCC) employees using custom-crafted Okta single sign-on (SSO) pages.

According to researchers at mobile security company Lookout, campaigns using this phishing kit also targeted cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini, using pages that impersonated Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.

During its investigations, LastPass discovered that its service was recently added to the CryptoChameleon kit, and a phishing site was hosted at at the "help-lastpass[.]com" domain.

The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access.

Below are the tactics LastPass observed in this campaign:

Victims receive a call from an 888 number claiming unauthorized access to their LastPass account and are prompted to allow or block the access by pressing "1" or "2". If they choose to block the access, they're told they will get a follow-up call to resolve the issue. A second call comes from a spoofed number, where the caller, posing as a LastPass employee, sends a phishing email from "support@lastpass" with a link to the fake LastPass site. Entering the master password on this site allows the attacker to change account settings and lock out the legitimate user.

The malicious website is now offline but it is very likely that other campaigns will follow and threat actors will rely on new domains.

Users of the popular password management service are recommended to beware of suspicious phone calls, messages, or emails claiming to come from LastPass and urging immediate action.

Some indicators of suspicious communication from this campaign include emails with the subject "We're here for you" and the use of a shortened URL service for links in the message. Users should report these attempts to LastPass at abuse@lastpass.com.

Regardless of the sevice, the master password should not be shared with anyone since it is the key to all your sensitive information.