Massive Brute Force Attack Targeting Networking Devices
A large-scale brute force attack is underway, using nearly 2.8 million IP addresses daily to target networking devices from Palo Alto Networks, Ivanti, and SonicWall….
LastPass Users Targeted in Sophisticated Phishing Campaign
Password manager LastPass has issued an urgent warning to its users about a sophisticated phishing campaign designed to steal master passwords and gain unauthorised access to accounts.
What is Phishing?
Phishing is a form of cyber attack where criminals use social engineering tactics to trick people into revealing sensitive information like passwords and credit card numbers. Attackers often impersonate legitimate businesses or services via email, phone calls, SMS, or fake websites.
Understanding the LastPass Phishing Campaign
- The Tactics: The current LastPass campaign uses a multi-pronged attack. Victims typically receive an initial phone call from an “888” number claiming unusual activity on their LastPass account and instructing them to press a number to confirm or deny the access attempt. If the victim presses “2” to deny access, they are promised a call from a “representative”. This second call comes from a spoofed number where the attacker, using an American accent, impersonates a LastPass employee. They will often send a phishing email under the guise of helping the user reset their account access, which directs to the fake “help-lastpass[.]com” website.
- The Goal: The ultimate aim of the attackers is to obtain the user’s LastPass master password. Once they have this, they can log into the victim’s account, change vital settings such as phone numbers and email addresses, and lock the legitimate user out.
- Link to CryptoChameleon Kit: This phishing campaign has been linked to the CryptoChameleon phishing kit, a tool attackers use to build fake websites that mimic legitimate services. CryptoChameleon has previously been used in campaigns against cryptocurrency platforms and government agencies.
How to Protect Yourself
- Be suspicious of unsolicited contact: Never respond to emails, texts, or calls claiming to be from LastPass unless you initiated the contact. Legitimate businesses will not ask for your master password.
- Check URLs carefully: Look closely at website addresses. Scammers often use slight variations on legitimate URLs (e.g., help-lastpass[.]com instead of the real LastPass site).
- Never click links in suspicious emails: If you have any doubts, type the LastPass URL (https://lastpass.com) directly into your browser.
- Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring an additional code or confirmation beyond your password. Enable this on your LastPass account and other important accounts.
- Report suspicious activity: If you receive any suspicious communication claiming to be from LastPass, report it to their abuse team at [email protected]
Phishing attacks are becoming increasingly sophisticated and can target anyone. Staying vigilant, adopting good online safety practices, and using tools like MFA can significantly reduce your risk of falling victim to these scams. LastPass users should be rightly cautious right now.
Further information available at:
Related articles
Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…