Hackers imitate LastPass staff to access passwords

Hackers imitate LastPass staff to access passwords

Hackers imitate LastPass staff to access passwords

LastPass has issued a warning to its customers about a phishing campaign in which cybercriminals disguise themselves as LastPass staff to access customers’ password vaults.

For context, LastPass is the world’s most widely used password manager, allowing users to store their passwords in a secure “vault” and use one master password to access everything. This allows them to use more advanced passwords or passphrases without the risk of forgetting them, while also making it easier to log in.

The company announced that it had detected that threat actors were using the CryptoChameleon phishing kit to gain access to LastPass customers’ vaults.

The CryptoChameleon kit works by allowing threat actors to create fake single sign-on pages that mimic other sites. Those who use fake sites to log in hand over their credentials to threat actors.

Data protection specialists Lookout notified LastPass that it had been added to the CryptoChameleon phishing kit and that threat actors had been observed using it to trick victims into handing over their data.

According to LastPass, these phishing attacks are carried out in several ways.

“Victims are directed to fake websites via phishing emails, SMS messages, or even direct phone calls (vishing),” LastPass said on its blog.

The tactics observed by LastPass generally involve:

  • Customers receive a call from an 888 number informing them that their LastPass account has been accessed from a new device and they must press “1” to allow or “2” to block access.
  • Those who press “2” are told they will receive a call from a LastPass representative to “close the ticket.”
  • The scammers then call the victim, usually with an American accent, telling them that they are a LastPass employee and that they will send them an email to restore access to the account. This email will contain a link with a shortened URL that will take them to a phishing site that imitates LastPass.
  • If the victim then enters their LastPass master password to reset access, the threat actor will steal the credentials and lock them from their LastPass account by changing details such as the master password, email address, and primary phone number.

“We have worked with our vendor partners to remove the phishing site and are informing our customers so they can be on the lookout for future iterations of this campaign that may use the same tactics,” LastPass said.

Leave a Reply

Your email address will not be published. Required fields are marked *