LastPass Users Fall for Sophisticated Phishing Attacks
Password manager LastPass is warning users to be on the lookout for a new phase of a phishing campaign that began earlier this year. Company officials said the convincing phishing campaign uses a combination of email, SMS messages, and direct phone calls (vishing) to trick targets into divulging their master passwords.
In February, Lookout researchers discovered attackers using an advanced phishing-as-a-service kit. Dubbed CryptoChameleon because of its focus on cryptocurrency accounts, the kit provides everything needed to trick even relatively savvy people into believing the communications are legitimate. According to a recent article, LastPass said one of its employees was recently targeted by a deepfake audio call designed to spoof the voice of company CEO Karim Toubba.
The kit also enables threat actors to easily create fake single sign-on (SSO) pages or other login sites based on fraudulent branding (including graphics and logos) to imitate a site or company for which the threat actor is seeking to collect credentials.
Tactics Used with Phishing Attacks Campaign
- The customer receives a call from an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press “1” to allow the access or “2” to block it.
- If the recipient presses “2”, they are told they will receive a call shortly from a customer representative to “close the ticket.”
- The recipient then receives a second call from a spoofed phone number and the caller identifies themself as a LastPass employee. This individual typically has an American accent. The caller will send the recipient an email they claim will allow them to reset access to their account. This will actually be a phishing email with a shortened URL that will send them to the “help-lastpass[.]com” site designed to steal the user’s credentials.
- If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account. These changes may include changing the primary phone number and email address as well as the master password itself.
Hanging Up, Using MFA Can Prevent Phishing Attacks
- Remember that incoming phone calls can be easily spoofed to appear to come from anywhere. When receiving a call or SMS claiming to come from a service, end the call and contact the service directly using its official email address, website, or phone number.
- Always use multi-factor authentication (MFA) to lock down accounts when possible and ensure it’s compliant with the FIDO standard when available. MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are easily defeated in credential phishing attacks.
Read more about how to recognize phishing scams on our blog.
Learn How to Recognize Phishing Attempts
Your workforce must be well-prepared to recognize and respond to phishing attempts. PrivaPlan can help your organization identify gaps in phishing knowledge with simulated phishing testing and targeted training.