LastPass users need to be on guard for phone calls claiming to be from the company as they’re likely sophisticated phishing attacks targeting users of the popular password manager.The scheme, which LastPass detailed in a blog post, involves scammers calling up potential victims pretending to be LastPass employees.
This Tweet is currently unavailable. It might be loading or has been removed.
The user will receive a phone call from “an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press ‘1’ to allow the access or ‘2’ to block it,” the company says. Pressing two, however, triggers a message that says a LastPass customer representative will call back shortly. In reality, that “LastPass customer rep” is a scammer.The bogus rep, who reportedly speaks with an American accent, will send an email to the user that’s designed to steal their login credentials. The email is dressed up to look like an official LastPass message about securing an account and comes from an official-looking domain at “help-lastpass[.]com.” But the email and domain have no connection to the real LastPass.
(Credit: LastPass)
Users who fall from the message will be told to click a link, redirecting them to a fake login page designed to steal their master password for LastPass. “If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account,” the company added. “These changes may include changing the primary phone number and email address as well as the master password itself.” It’s unclear how the scammers know the LastPass users’ phone numbers or how many people they targeted. But the company said: “We can only assume the bad actors are obtaining the phone numbers of prospective targets from the plethora of data breaches that occur regularly. More times than not, the information obtained from data breaches is sold on the dark web.” LastPass already worked with partners to shut down the help-lastpass[.]com domain. “However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email,” it added. The other problem is that over a year ago, LastPass itself suffered a breach, which allowed a hacker to steal encrypted password vaults from users. So customers who’ve encountered the phishing attack may be easily fooled into thinking their account is under threat.
Recommended by Our Editors
To avoid getting phished, LastPass urges users to hang up if they receive a phone call alleging to be from the company and to be careful around suspicious emails that use LastPass branding. “Please remember that no one at LastPass will ever ask for your master password,” LastPass says. The company adds that the scammers appear to be using the “CryptoChameleon phishing kit,” which can generate lookalike login pages for major internet services. LastPass learned of the phishing attacks from mobile security provider Lookout. In late February, Lookout published its own investigation, which showed CryptoChameleon creating fake login pages for a wide range of services, including LastPass, Okta, Gmail, Yahoo, and Twitter, along with cryptocurrency exchanges such as Coinbase and Binance, and even the FCC. The company’s investigation also found that CryptoChameleon usually targeted people on their mobile devices, with the vast majority of the victims based in the US.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.