LastPass users are being targeted by a sophisticated phishing campaign where hackers aim to steal master passwords, giving the attackers access to all other passwords stored in LastPass vaults.
The password management company has said it has investigated reports of a new phishing campaign and discovered that it has been added to the CryptoChameleon phishing kit.
A phishing kit is a set of tools that helps cybercriminals set up a phishing campaign: it usually includes a landing page builder, an email creation tool, email distribution tools, tracking, and more.
URL shorteners and other warning signs
In this particular campaign, LastPass users first received an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to allow or block access.
If the user decides to block access, they will receive a follow-up call from someone pretending to be a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be passed on to the attackers. Moments later, the victims were locked out of their accounts and lost access to all other passwords.
LastPass users are advised to be wary of calls, messages, or emails claiming to be from LastPass, especially if they carry a sense of urgency and require the user to take immediate action. They are almost always malicious.
Some of the phishing emails going around had “We’re here for you” in the subject line and used a URL shortening service for links within the message, to hide the actual address to which victims were redirected. Such emails should be reported to abuse@lastpass.comthe company said.
As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.
Through BleepingComputer