LastPass Users Targeted in New Master Password Phishing Scam

Phishing Scheme Targets Password Management Users

LastPass customers, be on high alert! A sophisticated phishing campaign is making rounds, attempting to steal your master passwords. If successful, the hackers will gain access to all your stored passwords within LastPass vaults.

Cybercriminals Use CryptoChameleon Phishing Kit

The company has confirmed that this new scam is orchestrated using a complete set of phishing tools called CryptoChameleon. These tools help criminals craft convincing fake emails, distribute them, and track their success.

How the Phishing Attack Works

Initially, victims receive an automated phone call claiming an unauthorized login attempt on their account and offer the option to block or allow access. Should the user opt to block access, a fake LastPass 'employee' follows up with a compelling phishing email. The email includes a link to a counterfeit LastPass site, prompting the user to enter their master password, which is then captured by the hackers.

Look Out for Suspicious Communication

Users are cautioned to be skeptical of urgent phone calls, messages, or emails purporting to be from LastPass. Phishing emails often have urgent subject lines, like "We're here for you," and may use URL shorteners to hide the actual destination. These should be reported immediately to abuse@lastpass.com. Remember, never share your master password, not even with purported LastPass staff.

Stay Safe with These Tips

Maintain a critical eye and verify any communication from LastPass. Consider multifactor authentication for added security and regularly update your master password. Protecting your online information is crucial, and staying informed about phishing tactics is your first line of defense.