LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.
CryptoChameleon is an advanced phishing kit that was spotted earlier this year, targeting Federal Communications Commission (FCC) employees using custom-crafted Okta single sign-on (SSO) pages.
According to researchers at mobile security company Lookout, campaigns using this phishing kit also targeted cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini, using pages that impersonated Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.
During its investigations, LastPass discovered that its service was recently added to the CryptoChameleon kit, and a phishing site was hosted at at the "help-lastpass[.]com" domain.
The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access.
Below are the tactics LastPass observed in this campaign:
- Victims receive a call from an 888 number claiming unauthorized access to their LastPass account and are prompted to allow or block the access by pressing "1" or "2".
- If they choose to block the access, they're told they will get a follow-up call to resolve the issue.
- A second call comes from a spoofed number, where the caller, posing as a LastPass employee, sends a phishing email from "support@lastpass" with a link to the fake LastPass site.
- Entering the master password on this site allows the attacker to change account settings and lock out the legitimate user.
The malicious website is now offline but it is very likely that other campaigns will follow and threat actors will rely on new domains.
Users of the popular password management service are recommended to beware of suspicious phone calls, messages, or emails claiming to come from LastPass and urging immediate action.
Some indicators of suspicious communication from this campaign include emails with the subject "We're here for you" and the use of a shortened URL service for links in the message. Users should report these attempts to LastPass at abuse@lastpass.com.
Regardless of the sevice, the master password should not be shared with anyone since it is the key to all your sensitive information.
Comments
joshwenke - 2 months ago
If you are still using LastPass, that is the real issue.
ChipBoundary - 2 months ago
If you genuinely believe that anything from LastPass was ever a concern, that is the real issue. There isn't a single company on planet Earth that hasn't been hacked or compromised. To believe otherwise is beyond ignorant. The difference is, with LastPass, what it did was prove that vaults are uncrackable. To believe that a company is only good as long as they don't get hacked is just ridiculously silly.
I've used LastPass for years BECAUSE of their model. It withstood, this proving its efficacy. My passwords will never be compromised unless I were to fall for a fishing scam like the one mentioned in the article. However, given my decades of IT experience, that will never happen.
GT500 - 2 months ago
Clearly you haven't been paying attention to security news. LastPass has had a number of security incidents over the years, including a vulnerability that allowed for stealing passwords directly from the browser extension. They are probably the least secure "cloud" password storage service provider. Most security experts recommend other services such as 1Password or Bitwarden if you absolutely must use a "cloud" based password storage service. Personally I recommend KeePass, which I feel is much safer than storing your passwords in the "cloud".
cloud = someone else's computer (in this case servers operated by these service providers)
wpontius - 2 months ago
Confidence in one's abilities is a good thing, but it is pure hubris to say "...that will never happen to me" If you believe it can never happen to you, then you have stopped questioning, doubting and learning. Hope your luck holds out!
StodgyGolf - 2 months ago
i just put mine in a locked.txt file on my phone... with 1 password hosting multiple different passwords for other locked txt files that lead up to my actual file. no icloud or online stuff except for onepassword.
GT500 - 2 months ago
"i just put mine in a locked.txt file on my phone... with 1 password hosting multiple different passwords for other locked txt files that lead up to my actual file. no icloud or online stuff except for onepassword. "
I used to know someone who would save passwords in a TXT file on an encrypted USB flash drive. It's probably not the best way to store passwords, but it worked for him.
Mr.Tom - 2 months ago
Back in the day I used to use a small sheet of paper to write all my password down. It kept getting full, so I turn the paper sideways, then again and again. Suffice to say the paper was eventually packed..
GT500 - 2 months ago
This is why I switched to KeePass a long time ago. Local password storage is much safer than any service that stores them online. It also gives you control over what type of encryption is used in your password storage file, so you don't just have to trust that a service provider is using the best encryption they have available.
StodgyGolf - 2 months ago
"This is why I switched to KeePass a long time ago. Local password storage is much safer than any service that stores them online. It also gives you control over what type of encryption is used in your password storage file, so you don't just have to trust that a service provider is using the best encryption they have available."
so agreed
TheHappyProgrammer - 2 months ago
What's most unbelievable is that all these web services (this one included, I have no doubt) store passwords in readable form. (A day or two ago I contacted a bank I do business with and it was clear the contract worker I dealt with had access to my password.) The Michigan Terminal System was using trapdoor encryption to store passwords back in the 1970s. It's true a password manager would need to store the password in a recoverable form, but it could at least encrypt it to make hacking harder.
GT500 - 2 months ago
Service providers like LastPass supposedly encrypt your password store, and I think most of them use your master password as an encryption key to make it more difficult for an attacker to decrypt your stored passwords. As for their security for your master password, I assume they hash it in some way and store the hash, but I don't remember what LastPass supposedly does. It's been well known for more than 15 years that storing plain text passwords is bad, and anyone still doing it is going against NIST guidelines for password storage.
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
StodgyGolf - 2 months ago
Or you know... you could code your own, non cloud password hoster/encrypter