Cybercriminals targeting LastPass users


Users of the password manager are being targeted by a phishing campaign instructing them to reset their accounts on fraudulent sites.

In a blog post, LastPass has informed its clients about the company’s branding being used by fraudsters associated with crypto thefts.

The current phishing campaign affecting LastPass users is related to the CryptoChameleon phishing kit, which was previously identified by cybersecurity firm Lookout as ‘novel tactics’ because it targeted various cryptocurrency platforms as well as the Federal Communications Commission.

A phishing kit is an illicit service that provides phishing software, which enables malicious actors to swiftly generate counterfeit login pages resembling legitimate ones, complete with fake branding elements like graphics and logos.

These mimic genuine sites or companies in order to deceive victims into surrendering their credentials. Victims are directed to fake websites via phishing emails, SMS messages, or even direct phone calls.

LastPass says that it discovered a newly purchased domain, help-lastpass[.]com, arousing suspicion of it being used by fraudsters.

“Once we identified that this site went active and was being used in a phishing campaign against our customers, we worked with our vendor to take down the site,” explains the company.

According to the company’s investigation, the scammers first call LastPass customers from an ‘888’ number and claim their LastPass account has been accessed from a new device and instructing them to press “1” to allow the access or “2” to block it.

If the recipient presses “2”, they are told they will receive a call shortly from a customer representative to “close the ticket.”

The second call a user receives is from someone pretending to be a LastPass employee, typically with an American accent, who sends an email to reset access to the user’s account.

The shortened URL in the email sends the user to the “help-lastpass[.]com” site, which is designed to steal the user’s credentials. If the user enters their master password on the phishing site, the malicious actor tries to access the LastPass account and modify its settings, effectively barring the genuine user and seizing control of the account.

LastPass phishing email
Phishing email impersonating LastPass | Source: LastPass

The company has taken down the initial phishing site. However, the phishing kit itself continues to offer LastPass branding. LastPass users are advised to stay cautious.

It’s not the first time fraudsters have targeted the password manager giant. Last week, the company was targeted by a deepfake call impersonating the company’s CEO. One of the company’s employees received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating the company’s CEO, Karim Toubba, on WhatsApp.