A phishing campaign against Internet users using LastPass as a password manager has been spotted. It uses the CryptoChameleon phishing kit. A site used for phishing has been taken down, but other attempts could occur.
Password managers are generally safe software for securing secret codes. In any case, the risk/benefit balance favors these safes when compared to the remaining options (relying on your memory or writing them down in a notebook). However, zero risk never completely exists.
Advertisement
In this regard, the publishers of these tools have maximum responsibility to provide the highest degree of protection and reliability. That being said, the quality of this security also depends in part on the Internet user: however, it is not uncommon for the weakest link in the security chain to be the user who is careless.
The company LastPass, which publishes a password manager, is not unaware of this. If an individual inadvertently provides their username and master password (which is used to unlock the safe), this amounts to letting the wolf into the fold. The intruder will be able to access the secret codes and attempt to log in to the associated accounts.
👉 Read our LastPass review
Phishing campaign against LastPass
It is in this context that LastPass launched a communication on his blog And social networks to indicate to his community the existence of a hostile campaign which started recently. According to his observations, a phishing kit specifically targeting LastPass was discovered, with a domain imitating the legitimate site.
Advertisement
The alert issued by LastPass does not mean that its password manager is currently affected by a software weakness; the tool is not the victim of computer hacking. However, Internet users run the risk of being fooled and delivering the keys to a malicious third party. This is where the danger lies.
The warning given by LastPass should not be taken lightly, given the significant popularity of the tool – there is a free version. Hence the message hammered out by the company: you must not communicate your master password under any circumstances, including to LastPass staff. It is also essential that this code is unique.
The modus operandi of this phishing involved several approaches. By SMS, by email or even by phone call (vishing) – the latter tactic obviously involved a strong social engineering capacity to fool victims, presenting themselves as LastPass employees, and thus lowering the barriers of vigilance .
The fake messages aimed to direct LastPass users to a very specific domain: help-lastpass.com. It has been neutralized, but others could emerge soon, as the campaign is still active. It uses a phishing kit, CryptoChameleon, which has been associated with the theft of cryptocurrencies.
The best password managers
See all MDP managers