Very advanced phishing campaign targets LastPass users

LastPass users are being recently targeted in a sophisticated phishing campaign that involving a phishing-as-a-service kit called CryptoChameleon. The CryptoChameleon service is a high-quality counterfeit single sign-on page and utilizes real-time communication methods to the real LastPass service to enhance the authenticity of their fraudulent attempts. CryptoChameleon kit was highlighted by its ability to mimic legitimate security measures like captcha pages and administrative consoles for real-time credential monitoring, complicating detection and enhancing believability.

The campaign is a multilayered deception involving emails, SMS, and voice calls to trick users into revealing their master passwords.

Attack tactics in detail:

1. The victim receives an initial call from an 888 number to "warn" them of a new device accessing their LastPass account, followed by a prompt to press "1" to allow or "2" to block the access.
2. Choosing "2" leads to a second call from a spoofed number, where the caller, posing as a LastPass employee with an American accent, directs the victim to a phishing website via an emailed link.
3. Entering the master password on this site allowed the attackers to access the LastPass account directly, change account settings, and lock out the legitimate user.

This phishing operation has been detected to target other sensitive services like the Federal Communications Commission, Coinbase, and other major platforms such as Okta, iCloud, and Outlook.

Users should not trust the unexpected calls, and use the channels on the official websites of the claimed "companies" to check for any foul play.