LastPass users lose master passwords in ultra-convincing scam

An ongoing and highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user’s passwords (for Instagram, their work, and everything else) in one place, protected by a “master” password. They relieve users of having to remember credentials for hundreds of accounts and allow them to use more complicated and unique passwords for each account. On the other hand, if a threatening actor gains access to the master passwordthey will have the keys to each of the accounts inside.

log into CryptoChameleon, a new practical phishing kit of unparalleled realism.

CryptoChameleon attacks tend not to be as widespread, but they succeed in times that are largely unseen in the world of cybercrime, “which is why we typically see them targeting businesses and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because obviously you’ll be able to monetize it at the end of the day.”

So far, CryptoChameleon has managed to trap at least eight LastPass customers – but likely more – by potentially exposing their master passwords.

A brief history of CryptoChameleon

Initially, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January they began targeting cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

However, the situation changed in February, when the fcc-okta domain was registered[.]com, mimicking the Okta Single Sign On (SSO) page belonging to the United States Federal Communications Commission (FCC). “This has suddenly transformed the system from one of the many consumer phishing kits that we see out there to something that will turn into targeting the company, going after company credentials,” Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were hit, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, which he says worked even against trained employees.

The problem with CryptoChameleon wasn’t just who it targeted, but how well it managed to defeat them. His trick was thorough, patient and direct involvement with victims.

Let us consider, for example, the current campaign against LastPass.

Stealing LastPass master passwords

It begins when a customer receives a call from an 888 number. A robocaller informs the customer that their account has been accessed from a new device. Then they are asked to press “1” to allow access or “2” to block access. After pressing “2,” they are told they will receive a call from a customer service representative shortly to “close the ticket.”

Then the call comes. Unbeknownst to the recipient, it comes from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims also reported speaking to British agents.

“The agent has professional call center communication skills and offers really good advice,” Richardson recalls from his numerous conversations with victims. “So, for example, they might say, ‘I want you to text me this support phone number.’ And they make victims write down the real helpline number of whoever they’re impersonating and then give them a whole lecture: “Just call us at this number.” I received a complaint from a victim that actually said: “For quality and training purposes, this call will be recorded.” They are using the full script of the call, everything you can think of to make someone believe that they are really talking to this company right now.”

This supposed support agent informs the user that it will send an email shortly, allowing the user to reset access to their account. In reality, it is a malicious email containing a shortened URL, which directs to a phishing site.

The helpful support agent watches in real time as the user enters the master password into the copycat site. They then use it to log into their account and immediately change their primary phone number, email address, and master password, thus permanently locking out the victim.

Meanwhile, Richardson says, “They don’t realize it’s a scam, none of the victims I’ve talked to. One person said, ‘I don’t think I ever put my master password in there.’ [I told them] “You spent 23 minutes on the phone with these guys. You probably did.'”

The damage

LastPass blocked the suspicious domain used in the attack: help-lastpass[.]com – shortly after being published. The attackers, however, were persistent and continued their activity with a new IP address.

Thanks to visibility into the attackers’ internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading keeps confidential) that indicates there may have been more than these.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading: “We do not disclose details on the number of customers affected by this type of campaign, but we support any customer who may be a victim of this and other scams We encourage people to report potential phishing scams and other nefarious activities impersonating LastPass [email protected].”

Is there any defense?

Since practical CryptoChameleon attackers talk to their victims through any security barriers such as multi-factor authentication (MFA), the defense against them begins with awareness.

“People need to be aware that attackers can spoof phone numbers. Just because an 800 or 888 number calls you, doesn’t mean it’s legitimate,” Richardson says, adding that “just because there’s an American on the other end of the telephone”. the phrase also does not mean it is legitimate.”

In fact, he says, “Don’t answer the phone from unknown callers. I know that’s a sad reality of the world we live in today.”

Despite all the awareness and precautions known to business users and consumers, a particularly sophisticated social engineering attack could still get through.

“One of the CryptoChameleon victims I spoke to was a retired IT professional,” Richardson recalls. “She said, ‘I’ve trained all my life not to fall for these types of attacks. Somehow I fell for them.'”

LastPass has asked Dark Reading to remind customers of the following: