LastPass users are being targeted with a sophisticated phishing campaign that sees hackers looking to steal master passwords, which would grant the attackers access to all other passwords stored in the LastPass vaults.
The password management company has said it had investigated reports of a new phishing campaign and discovered that it was added to the CryptoChameleon phishing kit.
A phishing kit is a set of tools that helps cybercriminals create a phishing campaign: it usually includes a landing page builder, an email crafting tool, means of email distribution, tracking, and more.
URL shorteners and other red flags
In this particular campaign, LastPass users would first receive an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to either allow or block the access.
If the user decides to block the access, they would get a follow-up call from someone impersonating a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be relayed to the attackers. Moments later, the victims would get locked out of their accounts, losing access to all other passwords.
LastPass users are advised to be wary of phone calls, messages, or emails claiming to come from LastPass, especially if they carry a sense of urgency and require the user to do something immediately. Those are, almost always, malicious.
Some of the phishing emails that were making rounds had “We’re here for you” in their subject lines, and used a URL shortening service for links in the message, to conceal the actual address the victims were being redirected to. Such emails should be reported to abuse@lastpass.com, the company said.
As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.
Via BleepingComputer