(Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)
UPDATE 4/19: LastPass says the attackers continue to try and phish users of the password manager.
In an email, the company told PCMag: "the bad actors behind the Crypto Chameleon phishing are continuing their campaign under a new IP address. We are taking steps to inform our customers on social media, added banners to the top of all our webpages and we are working on in-product messaging/alerts to flag the advanced phishing scam to our customers."
The company adds:
- "Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign."
- "If you do see this activity and are concerned you may have been compromised, please contact us at abuse@lastpass.com"
- "As always, we will NEVER ask you for your password."
Original story:
LastPass users need to be on guard for phone calls claiming to be from the company as they're likely sophisticated phishing attacks targeting users of the popular password manager.
The scheme, which LastPass detailed in a blog post, involves scammers calling up potential victims pretending to be LastPass employees.
The user will receive a phone call from "an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press '1' to allow the access or '2' to block it," the company says.
Pressing two, however, triggers a message that says a LastPass customer representative will call back shortly. In reality, that "LastPass customer rep" is a scammer.
The bogus rep, who reportedly speaks with an American accent, will send an email to the user that's designed to steal their login credentials. The email is dressed up to look like an official LastPass message about securing an account and comes from an official-looking domain at "help-lastpass[.]com." But the email and domain have no connection to the real LastPass.
(Credit: LastPass)Users who fall from the message will be told to click a link, redirecting them to a fake login page designed to steal their master password for LastPass.
"If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account," the company added. "These changes may include changing the primary phone number and email address as well as the master password itself."
It's unclear how the scammers know the LastPass users' phone numbers or how many people they targeted. But the company said: "We can only assume the bad actors are obtaining the phone numbers of prospective targets from the plethora of data breaches that occur regularly. More times than not, the information obtained from data breaches is sold on the dark web."
LastPass already worked with partners to shut down the help-lastpass[.]com domain. "However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email," it added.
The other problem is that over a year ago, LastPass itself suffered a breach, which allowed a hacker to steal encrypted password vaults from users. So customers who've encountered the phishing attack may be easily fooled into thinking their account is under threat.
To avoid getting phished, LastPass urges users to hang up if they receive a phone call alleging to be from the company and to be careful around suspicious emails that use LastPass branding. "Please remember that no one at LastPass will ever ask for your master password," LastPass says.
The company adds that the scammers appear to be using the "CryptoChameleon phishing kit," which can generate lookalike login pages for major internet services.
LastPass learned of the phishing attacks from mobile security provider Lookout. In late February, Lookout published its own investigation, which showed CryptoChameleon creating fake login pages for a wide range of services, including LastPass, Okta, Gmail, Yahoo, and Twitter, along with cryptocurrency exchanges such as Coinbase and Binance, and even the FCC.
The company's investigation also found that CryptoChameleon usually targeted people on their mobile devices, with the vast majority of the victims based in the US.