LastPass users recently fell victim to a sophisticated phishing scheme, where scammers used a blend of emails, text messages, and phone calls to trick people into revealing their main passwords. This attack was facilitated by a tool called CryptoChameleon, originally designed to target cryptocurrency users, but expanded to hit services like LastPass and others.
The scammers impersonated LastPass, contacting users with alarming messages about unauthorized access to their accounts. They’d ask victims to press certain numbers, claiming it would either allow or block the access. If the victim pressed the block option, they’d receive another call from someone posing as a LastPass representative, usually speaking with an American accent. This fake rep would then send a phishing email with a link, disguised as a password reset option, but actually leading to a site meant to steal login details.
If users fell for it and entered their master password, the scammers would swiftly hijack their accounts, changing settings to lock out the real user. This type of attack isn’t new for LastPass, as they’ve been targeted before, with incidents of data theft and even deepfake calls mimicking the company CEO.
CryptoChameleon, the tool behind this latest attack, is quite sophisticated. It includes features like a fake captcha page to deter detection and an admin console for real-time monitoring of scam visits. Scammers can even engage targets in voice calls to guide them through the scam process.
This incident highlights the importance of staying vigilant against phishing attempts, even when they seem convincing. It’s a reminder to always verify the authenticity of communications, especially when they involve sensitive information like passwords