LastPass users tricked by hackers posing as staff to steal passwords
Some people are getting phone calls from fake LastPass employees
LastPass users are being targeted with a sophisticated phishing campaign that sees hackers looking to steal master passwords, which would grant the attackers access to all other passwords stored in the LastPass vaults.
The password management company has said it had investigated reports of a new phishing campaign and discovered that it was added to the CryptoChameleon phishing kit.
A phishing kit is a set of tools that helps cybercriminals create a phishing campaign: it usually includes a landing page builder, an email crafting tool, means of email distribution, tracking, and more.
URL shorteners and other red flags
In this particular campaign, LastPass users would first receive an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to either allow or block the access.
If the user decides to block the access, they would get a follow-up call from someone impersonating a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be relayed to the attackers. Moments later, the victims would get locked out of their accounts, losing access to all other passwords.
LastPass users are advised to be wary of phone calls, messages, or emails claiming to come from LastPass, especially if they carry a sense of urgency and require the user to do something immediately. Those are, almost always, malicious.
Some of the phishing emails that were making rounds had “We’re here for you” in their subject lines, and used a URL shortening service for links in the message, to conceal the actual address the victims were being redirected to. Such emails should be reported to abuse@lastpass.com, the company said.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.
Via BleepingComputer
More from TechRadar Pro
- Watch out - there's a fake version of LastPass on the Apple App Store
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.