LastPass is alerting its users about a malicious campaign using the CryptoChameleon phishing kit.
This kit allows cybercriminals to build counterfeit websites that mimic legitimate services, featuring genuine-looking graphics and logos. The main goal is to trick users into submitting their login credentials, which the attackers can use or sell.
LastPass confirmed that the attackers utilized the CryptoChameleon phishing kit to set up a fraudulent website mimicking LastPass.
The attack begins when the victim receives a phone call from a number appearing to belong to LastPass. Using an American accent, the caller identifies themselves as a LastPass employee. During this call, the purported employee tells the victim about a security breach affecting their account and offers to assist by sending an email to reset their access.
The email sent to the victim includes a link leading to a phishing site, “help-lastpass[.]com,” which closely mimics the official LastPass interface. As part of the scheme, unsuspecting users are asked to enter their master password on this fake site.
Once the attackers capture this password, they use it to access the victim’s actual LastPass account. They then change crucial account details, such as the primary phone number, email address, and master password.
These changes lock the legitimate user out of their account and give the attacker complete control. LastPass says the malicious website is currently offline, but it is highly probable that similar campaigns might emerge.
The company is now advising users to remain vigilant against suspicious phone calls, messages, or emails that appear to be from LastPass and press for immediate action. Some signs of suspicious communications from this campaign include emails titled “We’re here for you” and messages containing links shortened through URL services.
The phishing kit was identified earlier this year by security experts after it was used to target Federal Communications Commission (FCC) employees with specially designed Okta single sign-on (SSO) pages.
Cybercriminals used the same phishing kit to launch attacks against major cryptocurrency platforms such as Binance, Coinbase, Kraken, and Gemini. The attackers used fake pages to mimic Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.