LastPass users tricked by hackers posing as staff to steal passwords

Passwords
Image Credit: Shutterstock (Image credit: Shutterstock)

LastPass users are being targeted with a sophisticated phishing campaign that sees hackers looking to steal master passwords, which would grant the attackers access to all other passwords stored in the LastPass vaults.

The password management company has said it had investigated reports of a new phishing campaign and discovered that it was added to the CryptoChameleon phishing kit. 

A phishing kit is a set of tools that helps cybercriminals create a phishing campaign: it usually includes a landing page builder, an email crafting tool, means of email distribution, tracking, and more. 

URL shorteners and other red flags

In this particular campaign, LastPass users would first receive an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to either allow or block the access. 

If the user decides to block the access, they would get a follow-up call from someone impersonating a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be relayed to the attackers. Moments later, the victims would get locked out of their accounts, losing access to all other passwords.

LastPass users are advised to be wary of phone calls, messages, or emails claiming to come from LastPass, especially if they carry a sense of urgency and require the user to do something immediately. Those are, almost always, malicious. 

Some of the phishing emails that were making rounds had “We’re here for you” in their subject lines, and used a URL shortening service for links in the message, to conceal the actual address the victims were being redirected to. Such emails should be reported to abuse@lastpass.com, the company said.

As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Latest in Security
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'