CryptoChameleon: Vishing and Phishing Threats Exploiting LastPass and Beyond

Cyber Threats
Written By Margaret Noel

At the end of April, LastPass users were warned about a security threat involving social engineering used to trick users into giving up their master passwords.  

Since April, others have fallen to the scam. This threat, using a Phish as a Service tool called CryptoChameleon poses as legitimate support, and according to reporting, has spread beyond just LastPass, but to companies including Apple, Octa, FCC employees, Binance and Coinbase users.  

This has become a story of user manipulation and social engineering, and not as much about technical threats in LastPass or other tools, in which victims are asked to give up their (LastPass, Octa, Apple, other), passwords –and they do. And when they do, they lose access, and their credentials are stolen. 

Here’s how CryptoChameleon works: 

The (LastPass) campaign’s goal was to obtain a user’s master password and compromise his or her password vault account. They try to do this by tricking a victim into entering their master password into a fake, but very real looking LastPass support page. The campaign takes advantage of a phishing-as-a-service tool called CryptoChameleon; a tool that makes it easier for criminals to steal personal information. The kit provides everything needed in a ready-made package, lowering the skill bar for criminals looking to steal data.

Here’s how it goes: 

  • The victim is called with an automated message informing them their LastPass account has been accessed from an unknown device and gives instructions to either press 1 and allow the access or press 2 and block it. 

  • Pressing 2 does not block it, however. Instead, it triggers a message telling the user that a customer service representative will call them shortly to close the help ticket and ensure everything is OK. 

  • This follow-up call comes from a spoofed number, with the caller claiming to be a LastPass employee and informing the user that they have been sent an email that includes a link to enable them to reset their account for security reasons. 

  • That link directs to user to the cloned login page where the user is asked to provide their LastPass master password.  

  • If successful, the criminal locks the user out of their account by changing the primary phone number, email address and master password. 

Here’s what we’re doing about this vishing and phishing threat. 

  • LastPass identified and reported a new fraudulent domain had been registered but not yet activated. ‘help-lastpass [dot] com’ was registered by the attacker, designed to give the viewer confidence that it was genuinely associated with the LastPass service. Trusted Internet has blocked communications with this domain on every firewall. 

  • Trusted Internet has placed monitor/quarantine rules our email protection service for any mentions of ‘LastPass’, or ‘help-lastpass.’ 

  • In other, non-LastPass events, Trusted Internet is monitoring for other domains used, and is actively restricting communications with newly registered domains, manually reviewing them before allowing communications. 

Here’s What You Can Do To Protect Yourself: 

Users are advised to take immediate steps to secure their accounts: 

  • NEVER give out your Master Password, even to LastPass. The same holds true for Apple, Octa, and others. Support should never ask you for your password. This should be a red flag if they do. 

  • Enable Multifactor Authentication (MFA): MFA adds an extra layer of security, making it more difficult for attackers to gain access even if they have your master password.  

  • Change Your Master Password: Ensure that your new password is strong and unique. Avoid using the same password across multiple sites. 

  • Be Vigilant: Do not respond to unsolicited calls or emails claiming to be from LastPass or others. Instead, contact support directly, only through their official channels. 

  • Monitor for Unusual Activity: Keep an eye on your account for any signs of unauthorized access and report any suspicious activity to LastPass immediately. 

This incident underscores the importance of robust security practices and the need for constant vigilance in the face of evolving cyber threats and cyber criminal’s abilities to manipulate human thinking.  

 

Trusted Sources To Follow

For more detailed information and updates, refer to these and other cybersecurity news outlets:

  • Forbes

  • Bleeping Computer

  • Android Central, and other cybersecurity news outlet. 

 

Contact Us For Help

And last, should you suspect a threat, contact Trusted Internet’s Executive Cyber Support Center or your Virtual CISO™ immediately for evaluation. 

Margaret Noel
Previous

AT&T Data Breach
Next

DoD Public Comment Period for DIB and Our Math For Small Businesses