Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords, company officials said.
The attackers used an advanced phishing-as-a-service kit discovered in February by researchers from mobile security firm Lookout. Dubbed CryptoChameleon for its focus on cryptocurrency accounts, the kit provides all the resources needed to trick even relatively savvy people into believing the communications are legitimate. Elements include high-quality URLs, a counterfeit single sign-on page for the service the target is using, and everything needed to make voice calls or send emails or texts in real time as targets are visiting a fake site. The end-to-end service can also bypass multi-factor authentication in the event a target is using the protection.
LastPass in the crosshairs
Lookout said that LastPass was one of dozens of sensitive services or sites CryptoChameleon was configured to spoof. Others targeted included the Federal Communications Commission, Coinbase and other cryptocurrency exchanges, and email, password management, and single sign-on services including Okta, iCloud, and Outlook. When Lookout researchers accessed a database one CryptoChameleon subscriber used, they found that a high percentage of the contents collected in the scams appeared to be legitimate email addresses, passwords, one-time-password tokens, password reset URLs, and photos of driver’s licenses. Typically, such databases are filled with junk entries.
LastPass officials said Thursday that threat actors recently used CryptoChameleon to target users of the password manager. They said the tactics used in the campaign were:
- The customer receives a call from an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press “1” to allow the access or “2” to block it.
- If the recipient presses “2,” they are told they will receive a call shortly from a customer representative to “close the ticket.”
- The recipient then receives a second call from a spoofed phone number and the caller identifies themself as a LastPass employee. This individual typically has an American accent. The caller will send the recipient an email they claim will allow them to reset access to their account. This will actually be a phishing email with a shortened URL that will send them to the “help-lastpass[.]com” site designed to steal the user’s credentials.
- If the recipient inputs their master password into the phishing site, the threat actor attempts to log in to the LastPass account and change settings within the account to lock out the authentic user and take control of the account. These changes may include changing the primary phone number and email address as well as the master password itself.
The campaign actively targeted LastPass customers on April 15 and 16, a company representative said in an email. LastPass got the fraudulent site taken down on April 16.
The campaign is the latest to target LastPass. In August of 2022, LastPass revealed that it was one of roughly a dozen targets hit in a serial attack by a single resourceful threat actor. In December, LastPass said the breach led to the theft of data including user password vaults and the cryptographically hashed passwords that protected them. Early last year, LastPass disclosed a successful breach of an employee’s home computer and a corporate vault that was stored on it.LastPass has continued to be targeted this year. A fraudulent app spoofing the LastPass one was removed from the App Store. Last week, LastPass said one of its employees was targeted by a deepfake audio call designed to spoof the voice of company CEO Karim Toubba.
Feels like the real thing
Other advanced features offered by CryptoChameleon include a captcha page, a novel offering that prevents automated analysis tools used by researchers and law enforcement from crawling the Web and identifying phishing sites. The captcha may also make the page look more convincing to targets.
Another feature is an administrative console operators can use in real time to monitor visits to a spoofed site. In the event a target enters credentials, the operator can select from a list of options for how to respond.
“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access,” Lookout researchers wrote in the February post. “For example, they can be redirected to a page that asks for their MFA token from their authenticator app or a page requesting an SMS-based token.”
Attackers can also respond using voice calls. Lookout observed one threat actor encouraging a target by phone to complete the steps needed for the account compromise. Targets Lookout researchers spoke to described the voices as sounding “American,” “well spoken,” and having “professional call-center skills.”
The logs Lookout found showed that the majority of login data collected came from iOS and Android devices, an indication the attacks are primarily targeting mobile devices. Most of the victims were located in the US.
To prevent these sorts of scams from succeeding, people should remember that incoming phone calls can be easily spoofed to appear to come from anywhere. When receiving a call or SMS claiming to come from a service, people on the receiving end should always end the call and contact the service directly using its official email address, website, or phone number.
More generally, companies and end users should always use multi-factor authentication to lockdown accounts when possible and ensure it’s compliant with the FIDO standard when available. MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks.
