Sunday , 24 November 2024
Home Innovation Cybersecurity LastPass Warns of Scam: Don’t Press 1 or 2
Cybersecurity

LastPass Warns of Scam: Don’t Press 1 or 2

LastPass Warns of Scam

LastPass, a widely used password manager, has issued a critical warning to its users regarding a new scam that could potentially compromise their account master passwords. The scam involves a cybercrime campaign linked to CryptoChameleon, a phishing-as-a-service kit that simplifies the theft of personal information. According to Mike Kosak, a senior principal intelligence analyst at LastPass, cybercriminals can use these kits to create fake websites that mimic legitimate login pages, making it easier to steal passwords and authentication data. This stolen information can then be used by criminals themselves or sold to other malicious actors.

The scam begins with an automated call to the victim, informing them that their LastPass account has been accessed from an unknown device. The call instructs the victim to either press 1 to allow access or press 2 to block it. If the victim presses 2, they receive a follow-up call from a spoofed number, with the caller claiming to be a LastPass employee. The caller informs the victim that they will shortly receive an email with a link to reset their account for security reasons.

The email, however, contains a link that redirects the victim to a cloned login page, where they are prompted to enter their LastPass master password. If the victim falls for this trick and enters their password, the criminals can then lock the victim out of their own account by changing the primary phone number, email address, and master password.

LastPass detected the scam when intelligence analysts identified a fraudulent domain, ‘help-lastpass [dot] com,’ designed to appear as a legitimate LastPass service. Although LastPass took steps to shut down the domain, the continuous availability of the CryptoChameleon phishing kit means that the scam may persist.

In response to the threat, LastPass urges its users to be vigilant. If they receive a call from someone claiming to work for LastPass, they should hang up and report the details to abuse@lastpass.com. Any suspicious text messages or emails purporting to be from LastPass should also be reported to the same address. LastPass emphasizes that it will never ask for a user’s master password via phone call, text message, or email, and advises users to be cautious of such requests.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

Meta
Cybersecurity

Meta Cracks Down on Scammers, Deleting 2 Million Accounts

Meta, the parent company of Facebook, Instagram, and WhatsApp, has revealed a...

gmail
Cybersecurity

Improving Gmail Privacy with End-to-End Encryption

Google’s Gmail has revolutionized email communication with its ease of use and...

Reddit
Cybersecurity

Reddit Faces Back-to-Back Outages Amid Update Bug Issues

Reddit users experienced significant disruptions for the second consecutive day on Thursday,...

NSA
Cybersecurity

NSA Recommends Restrictions and Google Tools Against Phishing

In the ever-evolving world of cybersecurity, phishing remains one of the most...