Skip to content
Search
Close search
Menu
Home News LastPass Users Targeted in Sophisticated Phishing Campaign

Password manager LastPass has issued an urgent warning to its users about a sophisticated phishing campaign designed to steal master passwords and gain unauthorised access to accounts.

What is Phishing?

Phishing is a form of cyber attack where criminals use social engineering tactics to trick people into revealing sensitive information like passwords and credit card numbers. Attackers often impersonate legitimate businesses or services via email, phone calls, SMS, or fake websites.

Understanding the LastPass Phishing Campaign

  • The Tactics: The current LastPass campaign uses a multi-pronged attack. Victims typically receive an initial phone call from an “888” number claiming unusual activity on their LastPass account and instructing them to press a number to confirm or deny the access attempt. If the victim presses “2” to deny access, they are promised a call from a “representative”. This second call comes from a spoofed number where the attacker, using an American accent, impersonates a LastPass employee. They will often send a phishing email under the guise of helping the user reset their account access, which directs to the fake “help-lastpass[.]com” website.
  • The Goal: The ultimate aim of the attackers is to obtain the user’s LastPass master password. Once they have this, they can log into the victim’s account, change vital settings such as phone numbers and email addresses, and lock the legitimate user out.
  • Link to CryptoChameleon Kit: This phishing campaign has been linked to the CryptoChameleon phishing kit, a tool attackers use to build fake websites that mimic legitimate services. CryptoChameleon has previously been used in campaigns against cryptocurrency platforms and government agencies.

How to Protect Yourself

  • Be suspicious of unsolicited contact: Never respond to emails, texts, or calls claiming to be from LastPass unless you initiated the contact. Legitimate businesses will not ask for your master password.
  • Check URLs carefully: Look closely at website addresses. Scammers often use slight variations on legitimate URLs (e.g., help-lastpass[.]com instead of the real LastPass site).
  • Never click links in suspicious emails: If you have any doubts, type the LastPass URL (https://lastpass.com) directly into your browser.
  • Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring an additional code or confirmation beyond your password. Enable this on your LastPass account and other important accounts.
  • Report suspicious activity: If you receive any suspicious communication claiming to be from LastPass, report it to their abuse team at [email protected]

Phishing attacks are becoming increasingly sophisticated and can target anyone. Staying vigilant, adopting good online safety practices, and using tools like MFA can significantly reduce your risk of falling victim to these scams. LastPass users should be rightly cautious right now.

Further information available at:

https://blog.lastpass.com/posts/2024/04/advanced-phishing-kit-adds-lastpass-branding-for-use-in-phishing-campaigns

https://duo.com/decipher/phishing-attack-targets-lastpass-users-master-passwords

https://cybernews.com/news/lastpass-password-manager-phishing-campaign

22.04.24
Threat Intelligence Alerts
Mike Smith
Written by
Mike Smith
Incident Response & Threat Intelligence Manager

Related articles