Open Forum

In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become our digital vaults, promising to keep our countless passwords safe under the watch of one master key. But what happens when that master key falls into the wrong hands?

Be on high alert: CryptoChameleon is a highly sophisticated and alarming phishing campaign currently targeting LastPass users. This meticulously planned and executed operation has already impacted at least eight individuals, with potentially more unsuspecting victims.

The con begins with a phone call from an 888 number, seemingly from LastPass, alerting customers to unauthorized access attempts. A robocall informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access or "2" to block it. After pressing "2," they're told that they'll receive a call shortly from a customer service representative to "close the ticket."

Here's how the deception unfolds. The recipient receives a call, seemingly from LastPass, but it's actually from a spoofed number. On the other end is a live person, often with an American accent or sometimes a British one. This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. This malicious email contains a shortened URL, directing them to a phishing site. The helpful support agent watches in real-time as the user enters their master password into the copycat site. Then, they use it to log into their account and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

This attack reminds us that even the most fortified systems can be infiltrated with a well-crafted deception. The CryptoChameleon doesn't rely on technological exploits; it manipulates our trust in customer service and our inclination to believe what we hear from seemingly legitimate sources, a well-known social engineering tactic.

So, what can we do to protect ourselves? 

• Be skeptical of unsolicited calls, especially those asking for sensitive information. Verify the caller's identity by contacting the company directly using a trusted number; we can stay one step ahead. And remember, no reputable company will ask for your master password over the phone.

LastPass reminding customers:

• Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and account information. These are part of an ongoing phishing campaign. 
• If you see this activity and are concerned you may have been compromised, contact the company at abuse@lastpass.com.
• And finally, LastPass will never ask you for your password.

#ALTACyber

Genady,

 

Thank you for your informative and excellent posts!  Criminals Enterprises are working 24/7 to refine their attacks. We fail to recognize this trend and anticipate their attacks at our peril.

 

Please continue to post! 

 

David

 

 

 

 

 

​​​​​ ​

David Tandy Chief Executive Officer ,  Texas National Title  www.TexasNationalTitle.com Experts You Need, Partners You Can Trust 2705 Bee Cave Road, Suite 150 |  Austin ,  TX 78746 Phone: 512.381.9910 Be Aware! Wire fraud is on the rise. To learn more, click here. For Directions to our office and to see important information for closing click here. For Earnest Money delivery, consider using ZOCCAM. Click here for details.

​ ​

From: Genady Vishnevetsky via American Land Title Association. <Mail@ConnectedCommunity.org>
Sent: Friday, May 3, 2024 8:29 AM
To: David Tandy <David.Tandy@texasnationaltitle.com>
Subject: Open Forum : Security BUZZ - The Phishing Threat You Didn't See Coming

 

In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become... -posted to the "Open Forum" community

In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become our digital vaults, promising to keep our countless passwords safe under the watch of one master key. But what happens when that master key falls into the wrong hands?

Be on high alert: CryptoChameleon is a highly sophisticated and alarming phishing campaign currently targeting LastPass users. This meticulously planned and executed operation has already impacted at least eight individuals, with potentially more unsuspecting victims.

The con begins with a phone call from an 888 number, seemingly from LastPass, alerting customers to unauthorized access attempts. A robocall informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access or "2" to block it. After pressing "2," they're told that they'll receive a call shortly from a customer service representative to "close the ticket."

Here's how the deception unfolds. The recipient receives a call, seemingly from LastPass, but it's actually from a spoofed number. On the other end is a live person, often with an American accent or sometimes a British one. This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. This malicious email contains a shortened URL, directing them to a phishing site. The helpful support agent watches in real-time as the user enters their master password into the copycat site. Then, they use it to log into their account and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

This attack reminds us that even the most fortified systems can be infiltrated with a well-crafted deception. The CryptoChameleon doesn't rely on technological exploits; it manipulates our trust in customer service and our inclination to believe what we hear from seemingly legitimate sources, a well-known social engineering tactic.

So, what can we do to protect ourselves? 

• Be skeptical of unsolicited calls, especially those asking for sensitive information. Verify the caller's identity by contacting the company directly using a trusted number; we can stay one step ahead. And remember, no reputable company will ask for your master password over the phone.

LastPass reminding customers:

• Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and account information. These are part of an ongoing phishing campaign. 
• If you see this activity and are concerned you may have been compromised, contact the company at abuse@lastpass.com.
• And finally, LastPass will never ask you for your password.

#ALTACyber

In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become our digital vaults, promising to keep our countless passwords safe under the watch of one master key. But what happens when that master key falls into the wrong hands?

Be on high alert: CryptoChameleon is a highly sophisticated and alarming phishing campaign currently targeting LastPass users. This meticulously planned and executed operation has already impacted at least eight individuals, with potentially more unsuspecting victims.

The con begins with a phone call from an 888 number, seemingly from LastPass, alerting customers to unauthorized access attempts. A robocall informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access or "2" to block it. After pressing "2," they're told that they'll receive a call shortly from a customer service representative to "close the ticket."

Here's how the deception unfolds. The recipient receives a call, seemingly from LastPass, but it's actually from a spoofed number. On the other end is a live person, often with an American accent or sometimes a British one. This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. This malicious email contains a shortened URL, directing them to a phishing site. The helpful support agent watches in real-time as the user enters their master password into the copycat site. Then, they use it to log into their account and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

This attack reminds us that even the most fortified systems can be infiltrated with a well-crafted deception. The CryptoChameleon doesn't rely on technological exploits; it manipulates our trust in customer service and our inclination to believe what we hear from seemingly legitimate sources, a well-known social engineering tactic.

So, what can we do to protect ourselves? 

• Be skeptical of unsolicited calls, especially those asking for sensitive information. Verify the caller's identity by contacting the company directly using a trusted number; we can stay one step ahead. And remember, no reputable company will ask for your master password over the phone.

LastPass reminding customers:

• Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and account information. These are part of an ongoing phishing campaign. 
• If you see this activity and are concerned you may have been compromised, contact the company at abuse@lastpass.com.
• And finally, LastPass will never ask you for your password.

#ALTACyber

In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become our digital vaults, promising to keep our countless passwords safe under the watch of one master key. But what happens when that master key falls into the wrong hands?

Be on high alert: CryptoChameleon is a highly sophisticated and alarming phishing campaign currently targeting LastPass users. This meticulously planned and executed operation has already impacted at least eight individuals, with potentially more unsuspecting victims.

The con begins with a phone call from an 888 number, seemingly from LastPass, alerting customers to unauthorized access attempts. A robocall informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access or "2" to block it. After pressing "2," they're told that they'll receive a call shortly from a customer service representative to "close the ticket."

Here's how the deception unfolds. The recipient receives a call, seemingly from LastPass, but it's actually from a spoofed number. On the other end is a live person, often with an American accent or sometimes a British one. This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. This malicious email contains a shortened URL, directing them to a phishing site. The helpful support agent watches in real-time as the user enters their master password into the copycat site. Then, they use it to log into their account and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

This attack reminds us that even the most fortified systems can be infiltrated with a well-crafted deception. The CryptoChameleon doesn't rely on technological exploits; it manipulates our trust in customer service and our inclination to believe what we hear from seemingly legitimate sources, a well-known social engineering tactic.

So, what can we do to protect ourselves? 

• Be skeptical of unsolicited calls, especially those asking for sensitive information. Verify the caller's identity by contacting the company directly using a trusted number; we can stay one step ahead. And remember, no reputable company will ask for your master password over the phone.

LastPass reminding customers:

• Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and account information. These are part of an ongoing phishing campaign. 
• If you see this activity and are concerned you may have been compromised, contact the company at abuse@lastpass.com.
• And finally, LastPass will never ask you for your password.

#ALTACyber