Hackers Posing as LastPass Employee to Steal Master Password & Hijack Accounts

In a sophisticated cyber attack, hackers have been discovered impersonating LastPass employees in an elaborate phishing campaign designed to steal users’ master passwords and hijack their accounts.

This alarming development was recently highlighted by LastPass on their official blog, shedding light on the dangers posed by the CryptoChameleon phishing kit.

The campaign, initially identified by cybersecurity firm Lookout, utilizes the CryptoChameleon phishing kit—a notorious tool linked to previous crypto thefts.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

This software allows cybercriminals to create counterfeit websites that look like legitimate services, complete with authentic graphics and logos.

The primary aim is to deceive users into entering their login credentials, which can then be used or sold by the attackers.

Modus Operandi of the Hackers

The attack unfolds in stages, beginning with the victim receiving a phone call from a number that appears to be associated with LastPass. The caller, who speaks with an American accent, claims to be a LastPass employee.

During the conversation, the supposed employee informs the victim of a security issue affecting their account and offers to send an email to help reset their access.

This email, however, contains a malicious link to a phishing site (help-lastpass[.]com) cleverly designed to replicate the LastPass interface.

Victims are tricked into entering their master password on this site. Once the hackers obtain this information, they attempt to access the real LastPass account, changing critical settings such as the primary phone number, email address, and the master password itself.

This effectively locks out the legitimate user and grants the attacker full control over the account.

Immediate Actions and Recommendations

LastPass has acted swiftly to mitigate the impact of this phishing campaign. The initial phishing site has been taken down, and efforts are ongoing to neutralize the threat posed by the phishing kit. However, the company urges users to remain vigilant.

They recommend that users should:

  • Be skeptical of unsolicited communications, even if they appear to come from trusted entities.
  • Verify the authenticity of any request by contacting the company directly through official channels.
  • Avoid clicking on links or downloading attachments from unknown or suspicious emails.
  • Use multi-factor authentication (MFA) to add an extra layer of security to their accounts.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.