LastPass users tricked by hackers posing as staff to steal passwords

Some people are getting phone calls from fake LastPass employees

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

LastPass users are being targeted with a sophisticated phishing campaign that sees hackers looking to steal master passwords, which would grant the attackers access to all other passwords stored in the LastPass vaults.

Thepassword managementcompany has said it had investigated reports of a new phishing campaign and discovered that it was added to the CryptoChameleon phishing kit.

A phishing kit is a set of tools that helps cybercriminals create a phishing campaign: it usually includes a landing page builder, an email crafting tool, means of email distribution, tracking, and more.

URL shorteners and other red flags

In this particular campaign, LastPass users would first receive an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to either allow or block the access.

If the user decides to block the access, they would get a follow-up call from someone impersonating a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be relayed to the attackers. Moments later, the victims would get locked out of their accounts, losing access to all other passwords.

LastPass users are advised to be wary of phone calls, messages, or emails claiming to come from LastPass, especially if they carry a sense of urgency and require the user to do something immediately. Those are, almost always, malicious.

Some of the phishing emails that were making rounds had “We’re here for you” in their subject lines, and used a URL shortening service for links in the message, to conceal the actual address the victims were being redirected to. Such emails should be reported toabuse@lastpass.com, the company said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action cam