News on Medial

LastPass users targeted in phishing attacks good enough to trick even the savvy

Arstechnica · 7m

A recent phishing campaign targeted LastPass users by using a combination of emails, SMS, and voice calls to trick them into revealing their master passwords, according to company officials. The attackers used an advanced phishing-as-a-service kit called CryptoChameleon, which includes high-quality URLs, counterfeit sign-on pages, and real-time communications options. LastPass was one of several sensitive services targeted by CryptoChameleon. LastPass users were instructed to press a number to allow or block access to their account, then received a follow-up call from a spoofed number posing as a LastPass employee. The attackers attempted to steal user credentials and take control of the account. This is not the first time LastPass has been targeted, as previous attacks have resulted in data breaches and unauthorized access to user vaults. To protect themselves, users should be cautious of incoming phone calls and always contact the service directly using official contact information.