- LastPass users have been struck by a major phishing scam. Many of them received fake phone calls from hackers pretending to be LastPass employees
- These callers then sent them a phishing email that led the users to a fake LastPass website where their master password was stolen.
- LastPass has already taken down the fake website and is working on disrupting this entire operation from the root.
LastPass – a popular password manager has been hit by a major phishing scam where hackers have been tricking users into sharing their passwords by impersonating LastPass employees.
The new phishing campaign was first identified by cybersecurity firm Lookout which found that hackers were using the CryptoChameleon phishing kit in their latest attack.
This phishing kit is quite popular amongst cyber criminals and has already been used in a few crypto attacks. A joint international cooperation had recently nabbed LabHost – a platform that sold similar kits to cyber criminals.
One of its main services is to help hackers create a fake website that looks just like the legitimate one so that users are tricked into entering their login credentials. This is exactly what happened in this case.
As LastPass shared in its official blog, they found a parked domain (help-lastpass[.]com) and immediately started monitoring it in case the site went live. As it happened, the site did go live and started attacking LastPass users.
The company then immediately worked with its vendors and took it down.
How It Affected the Users?
Most of the customers who were affected by this attack were hit by a scam call. This is how it went:
- They got a call from an “888” number that informed them that their LastPass account had been accessed from a different device. So they could press “1” to allow access or “2” to block it.
- In case someone chose “2”, which was usually the case, they would receive a call from someone (typically with an American accent) posing as a customer representative in order to proceed.
- The second caller then sends them an email saying they can reset their account access using it. This email directed them to the “help-lastpass[.]com” fake site where the victim was tricked into sharing their master password.
- Once that password is shared, the hacker changes all the settings, takes control of the attack, and locks out the original account owner.
What Is Being Done to Handle the Issue?
As mentioned, LastPass has already taken down the website. However, since the initial phishing kit still retains the LastPass branding, the password manager has asked to report all calls, emails, and texts that come in its name to [email protected].
It also clarified that no employee from LastPass ever asks for your master password. So if you get a call from someone asking for it, immediately report it to the above-mentioned email address.
As an extra measure, always be cautious of every shady email or call you receive. Don’t click on unknown links, don’t download files from unknown users, and do not share confidential details with random callers. Turning on two-factor authentication will also help.
Apart from that, LastPass has pledged to continue working until it can restore a safe environment for its users.
Second Attack This Month
In a separate attack earlier this month, an employee from LastPass received a series of texts, calls, and a voicemail featuring a deepfake of LastPass CEO’s voice.
Posing as CEO Karim Toubba, the hackers tried to reach the employee on WhatsApp. However, it’s not the usual communication channel for the company. Plus, there were a few other signs, such as fake urgency, that made the employee suspicious.
So the employee ignored those texts and reported the incident to the company’s internal security team who took care of the issue.
Following this, LastPass shared the details of this incident, along with some other examples to raise awareness about the use of deepfake in scams.
Even in December 2022, an unauthorized party gained access to a third-party cloud storage service and obtained customer information from LastPass.
