The CryptoChameleon phishing kit is being leveraged by vishing attackers looking to trick LastPass users into sharing their master password.
“Initially, we learned of a new parked domain (help-lastpass[.]com) and immediately marked the website for monitoring should it go live and start serving a phishing site intended to imitate our login page or something similar. Once we identified that this site went active and was being used in a phishing campaign against our customers, we worked with our vendor to take down the site,” LastPass intelligence analyst Mike Kosak explained.
The site has been taken down, but the company expects others to pop up quickly, and is thus warning users to be wary of attackers calling them up and posing as a company representative.
The vishing attack impersonating LastPass
The calls come from an 888 number and the caller claims the user’s LastPass account has been accessed from a new device, and instructs them to press “1” to allow the access or “2” to block it.
“If the recipient presses ‘2’, they are told they will receive a call shortly from a customer representative to ‘close the ticket’,” Kosak says.
They then receive a phone call from a spoofed phone number. The caller claims to be a LastPass employee and tells the recipient to expect an email that will tell them how to reset access to their account.
Thus primed, the recipient is less likely to carefully check the email for indicators of phishing, and more likely to click the provided shortened URL and end on the aforementioned phishing site.
The (very convincing) phishing email
“If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account. These changes may include changing the primary phone number and email address as well as the master password itself,” Kosak concluded.
These campaigns are expected to continue
CryptoChameleon is a relatively new phishing kit that allows threat actors to create fake login pages that look very much like the real thing, allowing them to steal credentials and occasionally other sensitive data.
According to Lookout researchers, the phishing kit is capable of replicating login pages of popular cryptocurrency enxchanges and other services (Binance, Coinbase, Gemini, Kraken, trezor, etc.) and email, password management, and single sign-on (SSO) services such as Gmail, Outlook, iCloud, AOL, LastPass, Okta, and others.
Users are generally directed to the phishing pages via SMS messages, emails, and phone calls.
“We have worked hard to disrupt this phishing campaign and have had the initial phishing site taken down. However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email,” Kosak noted.
Suspicious phone calls, texts and emails should be reported/forwarded to [email protected].