Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

A Brief History of CryptoChameleon

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta[.]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

Stealing LastPass Master Passwords

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' [I told them] 'You spent 23 minutes on the phone with these guys. You probably did.'"

The Damage

LastPass shut down the suspicious domain used in the attack — help-lastpass[.]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at [email protected]."

Is There Any Defense?

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following: