Lastpass users were targeted in a sophisticated phishing campaign, where attackers utilized a combination of phone calls, emails, and SMS to extract master passwords from accounts. The attack, which specifically focused on Lastpass users, was discovered by cybersecurity specialists from Lookout in February. The campaign, conducted by a group called Cryptochameleon Phishing Sets, specialized in targeting cryptocurrency accounts and utilized a set of tools including well-designed URLs, fake entrance pages, as well as tools for making calls and sending messages.
- Users would receive a call from a number labeled as “888,” informing them about access to their account from a new device. The caller would prompt the user to click a number to either allow or block access. If the user refused access, they would be informed that a support service representative would call shortly to assist in “closing the application.” Subsequently, the user would receive a phishing email from Lastpass with a shortened link leading to a fake website.
- If the victim entered their master password on the phishing site, the fraudster would attempt to access the Lastpass account and alter the settings to prevent the user’s access while obtaining control of the account. This could include changing the primary phone number, email address, and even the master password itself.
On April 15 and 16, there was a surge in attacks targeting Lastpass customers, leading to the closure of the fake site on April 16. Lastpass advises users to contact their support service through official channels in case of any suspicious calls or messages and emphasizes that no one should ever disclose their master password to anyone.