LastPass, a widely used password manager application, has issued a warning to its users advising them to not press option 1 or 2 if they get a call purporting to be from the service. This is due to a new scam that can potentially compromise account master passwords with all the misery that would bring. It is imperative to be aware of this and take the necessary precautions to safeguard your LastPass account. Here’s what you need to know.
Crypto Crypto Crypto Chameleon
Mike Kosak, a senior principal intelligence analyst at LastPass, has issued a warning to all users of the password manager. He urges everyone to be aware of a cybercrime campaign that aims to obtain your master password and compromise your password vault account. This campaign is linked to something known as CryptoChameleon, a phishing-as-a-service kit that makes it easier for criminals to steal personal information. The kit provides everything they need in a ready-made package, lowering the bar for criminals looking to steal data.
“Basically, a cybercriminal can use these kits to create fake websites to steal passwords and other authentication data,” Kodak said, “and either use these credentials themselves or sell them to other criminals.”
The criminals create fake login pages using genuine branding to ensure the fraudulent sites look like the real deal. By directing victims to these sites, in this case initially via what appear to be genuine support calls from LastPass itself and then as the scam evolves using a link from a follow-up email, the criminal actors can harvest authentication data including master passwords.
Unraveling The LastPass Master Password Scam
The first sign of something wrong was when intelligence analysts at LastPass found a new fraudulent domain had been registered but not yet activated. That domain, ‘help-lastpass [dot] com’ was designed to give the casual viewer confidence that it was genuinely associated with the LastPass service. By monitoring this domain the security team at LastPass was able to identify as soon as it went live, purporting to be a login page to the service, and initiate steps to have it taken down.
However, because the CryptoChameleon phishing kit continues to provide criminal customers with the necessary branding to clone a LastPass service, disruption of the scam cannot be guaranteed. This is why Kosak has gone public to warn LastPass users of the threat and describe exactly how it unfolds.
- The victim is called with an automated message informing them their LastPass account has been accessed from an unknown device and gives instructions to either press 1 and allow the access or press 2 and block it.
- Pressing 2 does no such thing, of course, but rather triggers a message telling the user that they will shortly get a call from a customer service representative in order to close the help ticket and ensure everything is OK.
- This follow-on call comes from a spoofed number with the caller claiming to be a LastPass employee and informing the user that they have been sent an email that includes a link to enable them to reset their account for security reasons.
- That link, of course, redirects to the cloned login page where the user is asked to provide their LastPass master password. If successful, the criminal will then lock the user out of their own account by changing the primary phone number, email address and master password.
The Press 1 Or 2 LastPass Scam Fallout
Kosak said that LastPass users should bear in mind the following if they are on the sharp end of this all-too-realistic threat:
- If you get a phone call from someone claiming to work for LastPass, hang up and report the details using the [email protected] email address.
- Send a screen capture of any suspicious text messages purporting to be from LastPass to the same abuse reporting address.
- Forward any emails as an attachment to the same address.
- Remember that LastPass or any other password management service will never ask for your master password via phone call, text message or email. For very obvious reasons, it just doesn’t happen. If it does, then it’s a scam.
“We will continue to work diligently to protect our customers and take whatever proactive measures we can to disrupt this activity,” Kosak concluded.