LastPass Warns of Scam: Don’t Press 1 or 2

LastPass, a widely used password manager, has issued a critical warning to its users regarding a new scam that could potentially compromise their account master passwords. The scam involves a cybercrime campaign linked to CryptoChameleon, a phishing-as-a-service kit that simplifies the theft of personal information. According to Mike Kosak, a senior principal intelligence analyst at LastPass, cybercriminals can use these kits to create fake websites that mimic legitimate login pages, making it easier to steal passwords and authentication data. This stolen information can then be used by criminals themselves or sold to other malicious actors.

The scam begins with an automated call to the victim, informing them that their LastPass account has been accessed from an unknown device. The call instructs the victim to either press 1 to allow access or press 2 to block it. If the victim presses 2, they receive a follow-up call from a spoofed number, with the caller claiming to be a LastPass employee. The caller informs the victim that they will shortly receive an email with a link to reset their account for security reasons.

The email, however, contains a link that redirects the victim to a cloned login page, where they are prompted to enter their LastPass master password. If the victim falls for this trick and enters their password, the criminals can then lock the victim out of their own account by changing the primary phone number, email address, and master password.

LastPass detected the scam when intelligence analysts identified a fraudulent domain, ‘help-lastpass [dot] com,’ designed to appear as a legitimate LastPass service. Although LastPass took steps to shut down the domain, the continuous availability of the CryptoChameleon phishing kit means that the scam may persist.

In response to the threat, LastPass urges its users to be vigilant. If they receive a call from someone claiming to work for LastPass, they should hang up and report the details to abuse@lastpass.com. Any suspicious text messages or emails purporting to be from LastPass should also be reported to the same address. LastPass emphasizes that it will never ask for a user’s master password via phone call, text message, or email, and advises users to be cautious of such requests.