Hackers imitate LastPass staff to access passwords

LastPass has issued a warning to its customers regarding a phishing campaign in which cyber criminals disguise themselves as LastPass staff to access customer password vaults.

For context, LastPass is the world’s most used password manager, allowing users to store their passwords in one secure “vault” and use a master password to access everything. This allows them to use more advanced passwords or passphrases without the risk of forgetting them while also making logins easy.

The company announced that it had spotted the CryptoChameleon phishing kit being used by threat actors to gain access to LastPass customer vaults.

You’re out of free articles for this month

Username or Email

Password

Keep me signed in on this device.

Forgot password?

First Name

Last Name

Mobile

Organisation Type

Position

Need help signing up? Visit the Help Centre.

The CryptoChameleon kit works by allowing threat actors to create fake single-sign-on pages imitating other sites. Those who use the fake sites to log in hand their credentials over to the threat actors.

LastPass was notified by data protection specialists Lookout that it had been added to the CryptoChameleon phishing kit and that threat actors had been observed using it to trick victims into handing over their details.

According to LastPass, these phishing attacks are being engaged in a number of ways.

“Victims are directed to fake websites via phishing emails, SMS messages, or even direct phone calls (vishing),” said LastPass on its blog.

VIEW ALL

The tactics observed by LastPass generally involve:

Customers receive a call from an 888 number that tells them their LastPass account has been accessed from a new device and to press “1” to allow or “2” to block access.
Those who press “2” are told that they will receive a call from a LastPass representative to “close the ticket”.
The scammers then call the victim, usually using an American accent, saying they are a LastPass employee and that they will send them an email to reset account access. This email will contain a link with a shortened URL that takes them to a phishing site imitating LastPass.
If the victim then enters their LastPass master password to reset access, the threat actor will steal the credentials and lock them out of their LastPass account by changing details such as master password, email address, and primary phone number.

“We have worked with our vendor partners to take down the phishing site, and we are informing our customers so they can be on the lookout for future iterations of this campaign that may use the same tactics,” LastPass said.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

Hackers imitate LastPass staff to access passwords

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED