LastPass (again) victim of a very convincing phishing campaign

THE password managers are prime targets for hackers who can get their hands on a whole bunch of credentials in one go. Not surprising that LastPass therefore finds itself again in the middle of a phishing campaign.

LogMeIn seems to be particularly popular these days. The company that publishes the ultra-popular LastPass software has been at the heart of numerous phishing and scam attempts in recent weeks. From the fake app that tries to steal your credentials to the CEO’s voice deepfake that tries to infiltrate company IT systems, LastPass is under attack from all sides. And the latest attack proves that hackers are willing to go to great lengths to get their hands on your personal data.

Quality phishing

As LastPass explains in a blog post published on April 17, a very convincing phishing campaign targeted many users of the password manager. It all starts with a phone call with, on the other side of the line, a voicemail informing the victim that their LastPass account was used from an unknown device and that it is possible to validate or not the connection by typing “ 1” or “2” on its keyboard. If the victim falls into this first panel, then the machine is launched.

As soon as the false connection is “refused”, a second call supposedly emanating from LastPass, this time with a real “employee” on the line, advises you to reset access to your account using a link sent by email. The email does indeed seem to come from the domain name lastpass.com, the URL help-lastpass.com appears legitimate, the site reproduces the artistic direction of the company to perfection and the whole scam is orchestrated by a voice “with an American accent with a very professional call center employee tone», notes LastPass.

If the user uses multi-factor authentication, no problem, the site generates an input field on the fly allowing you to steal these authentication codes too. To make matters worse, victims mostly surf on mobile where it is sometimes more difficult to differentiate between a legitimate site or not.

CryptoChameleon in charge

The scam, now identified by LastPass and taken down with the removal of the misleading URL, was actually using an all-in-one phishing kit called CryptoChameleon due to its frequent use to trap crypto fans . From the fake web platform to the tools needed to make fraudulent phone calls, including multi-factor authentication hijacking tools, everything is available turnkey to scam Internet users.

Let us therefore remember that in terms of security, caution is the mother of safety and that if you have the slightest doubt regarding a fraudulent call or a suspicious-looking email, it is better not to follow up.

Source : LastPass