Thursday , 7 November 2024
Home Innovation Cybersecurity LastPass Warns of Scam: Don’t Press 1 or 2
Cybersecurity

LastPass Warns of Scam: Don’t Press 1 or 2

LastPass Warns of Scam

LastPass, a widely used password manager, has issued a critical warning to its users regarding a new scam that could potentially compromise their account master passwords. The scam involves a cybercrime campaign linked to CryptoChameleon, a phishing-as-a-service kit that simplifies the theft of personal information. According to Mike Kosak, a senior principal intelligence analyst at LastPass, cybercriminals can use these kits to create fake websites that mimic legitimate login pages, making it easier to steal passwords and authentication data. This stolen information can then be used by criminals themselves or sold to other malicious actors.

The scam begins with an automated call to the victim, informing them that their LastPass account has been accessed from an unknown device. The call instructs the victim to either press 1 to allow access or press 2 to block it. If the victim presses 2, they receive a follow-up call from a spoofed number, with the caller claiming to be a LastPass employee. The caller informs the victim that they will shortly receive an email with a link to reset their account for security reasons.

The email, however, contains a link that redirects the victim to a cloned login page, where they are prompted to enter their LastPass master password. If the victim falls for this trick and enters their password, the criminals can then lock the victim out of their own account by changing the primary phone number, email address, and master password.

LastPass detected the scam when intelligence analysts identified a fraudulent domain, ‘help-lastpass [dot] com,’ designed to appear as a legitimate LastPass service. Although LastPass took steps to shut down the domain, the continuous availability of the CryptoChameleon phishing kit means that the scam may persist.

In response to the threat, LastPass urges its users to be vigilant. If they receive a call from someone claiming to work for LastPass, they should hang up and report the details to abuse@lastpass.com. Any suspicious text messages or emails purporting to be from LastPass should also be reported to the same address. LastPass emphasizes that it will never ask for a user’s master password via phone call, text message, or email, and advises users to be cautious of such requests.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

google gmail
Cybersecurity

Gmail Protection: The Importance of Backup Accounts

In recent months, Google has demonstrated a robust commitment to user security,...

cash app
Cybersecurity

Cash App Settles Data Breach for $15 Million: Check Your Eligibility

Cash App, the popular mobile payment platform owned by Block Inc. (formerly...

Samsung Galaxy S25 Ultra
Cybersecurity

Samsung’s Security Update Dilemma: Millions of Devices at Risk

Samsung is facing a significant challenge as millions of Galaxy phone users...

windows
Cybersecurity

Windows Theme Bug Exposes Credentials; Patch Still Pending

Microsoft has recently come under scrutiny once more as a new security...