Article Details

Cybercriminals pose as LastPass staff to hack password vaults. LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft. CryptoChameleon is an advanced phishing kit that was spotted earlier this year, targeting Federal Communications Commission (FCC) employees using custom-crafted Okta single sign-on (SSO) pages. According to researchers at mobile security company Lookout, campaigns using this phishing kit also targeted cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini, using pages that impersonated Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL. During its investigations, LastPass discovered that its service was recently added to the CryptoChameleon kit, and a phishing site was hosted at at the "help-lastpass[.]com" domain. The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access. Below are the tactics LastPass observed in this campaign: The malicious website is now offline but it is very likely that other campaigns will follow and threat actors will rely on new domains. Users of the popular password management service are recommended to beware of suspicious phone calls, messages, or emails claiming to come from LastPass and urging immediate action. Some indicators of suspicious communication from this campaign include emails with the subject "We're here for you" and the use of a shortened URL service for links in the message. Users should report these attempts to LastPass at abuse@lastpass.com. Regardless of the sevice, the master password should not be shared with anyone since it is the key to all your sensitive information.