Security news that informs and inspires

Phishing Attack Targets LastPass Users’ Master Passwords


LastPass is warning of a phishing campaign designed to steal users’ master passwords and give attackers access to their password manager accounts.

In order to convince LastPass users to hand over their passwords, attackers used a mix of phone calls, phishing emails and a phishing page under the domain “help-lastpass[.]com,” which has since been taken down. If they were able to successfully obtain the users’ master passwords, attackers would log into the victims’ accounts and lock them out by changing their primary phone numbers, email addresses and the master password itself.

“Initially, we learned of a new parked domain (help-lastpass[.]com) and immediately marked the website for monitoring should it go live and start serving a phishing site intended to imitate our login page or something similar,” according to Mike Kosak, senior principal intelligence analyst with LastPass, in a Wednesday statement. “Once we identified that this site went active and was being used in a phishing campaign against our customers, we worked with our vendor to take down the site.”

Password managers like LastPass are top targets for attackers exactly because of their functionality as a centralized location for valuable credentials. In 2022, attackers were able to steal some LastPass customer data and gain access to the LastPass cloud storage service. Last week, the company said that a LastPass employee was unsuccessfully targeted by a deepfake audio call that impersonated the company CEO Karim Toubba.

LastPass also warned of another wide-scale phishing attack targeting its users last year, which included a link to a phishing page hosted on subdomains of “customer-lastpass[.]su.” That campaign had a global reach and targeted a variety of sectors, including 87 of the company's own employees.

While LastPass didn’t specify how many customers were targeted in its latest phishing campaign disclosed this week, and how many of the incidents were successful, the company said customers were receiving calls from 888 numbers claiming their accounts had been accessed from a new device, and instructing them to press “1” to enable access and “2” to block it. When customers pressed “2,” they were told they would receive a call shortly to “close the ticket.” They would then receive a call from someone with an American accent impersonating a LastPass employee. The caller could then send the victims an email, purporting to help them reset access to their account, which would actually take them to the phishing page in an attempt to steal their credentials.

The campaign, first unearthed by Lookout, appears to be linked to the CryptoChameleon phishing kit, which is a phishing-as-a-service offering for cybercriminals allowing them to create fake SSO sites using fraudulent branding in order to persuade victims to type in their credentials. CryptoChameleon, first discovered in February, has previously been used to target cryptocurrency platforms like Binance and Coinbase, as well as the Federal Communications Commission (FCC).

LastPass warned users not to respond to suspicious calls, texts and emails from people claiming to be from LastPass, and to alert them if these messages are received. The company said that no one at LastPass would ever ask customers for their master passwords.

“We have worked hard to disrupt this phishing campaign and have had the initial phishing site taken down,” said Kosak. “However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email.”