In the digital age, our lives are increasingly managed online, and with that comes the need for heightened security. Password managers have become our digital vaults, promising to keep our countless passwords safe under the watch of one master key. But what happens when that master key falls into the wrong hands?
Be on high alert: CryptoChameleon is a highly sophisticated and alarming phishing campaign currently targeting LastPass users. This meticulously planned and executed operation has already impacted at least eight individuals, with potentially more unsuspecting victims.
The con begins with a phone call from an 888 number, seemingly from LastPass, alerting customers to unauthorized access attempts. A robocall informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access or "2" to block it. After pressing "2," they're told that they'll receive a call shortly from a customer service representative to "close the ticket."
Here's how the deception unfolds. The recipient receives a call, seemingly from LastPass, but it's actually from a spoofed number. On the other end is a live person, often with an American accent or sometimes a British one. This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. This malicious email contains a shortened URL, directing them to a phishing site. The helpful support agent watches in real-time as the user enters their master password into the copycat site. Then, they use it to log into their account and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.
This attack reminds us that even the most fortified systems can be infiltrated with a well-crafted deception. The CryptoChameleon doesn't rely on technological exploits; it manipulates our trust in customer service and our inclination to believe what we hear from seemingly legitimate sources, a well-known social engineering tactic.
So, what can we do to protect ourselves?
- Be skeptical of unsolicited calls, especially those asking for sensitive information. Verify the caller's identity by contacting the company directly using a trusted number; we can stay one step ahead. And remember, no reputable company will ask for your master password over the phone.
LastPass reminding customers:
- Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and account information. These are part of an ongoing phishing campaign.
- If you see this activity and are concerned you may have been compromised, contact the company at abuse@lastpass.com.
- And finally, LastPass will never ask you for your password.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------