Summary
- Sophisticated phishing targets LastPass users via fake ‘legacy inheritance’ emergency-access emails.
- Attackers use fake login pages and vishing to steal master passwords and stored passkeys.
- Group UNC5356 (CryptoChameleon) appears to be behind the campaign; reminiscent of 2022 LastPass breach and crypto theft.
For some scammers, phishing is an art. As people catch up on schemes, they need to come up with new and fresh ways to get people to fall into their schemes. This latest one, targeting LastPass users for the most part, is actually pretty clever.
LastPass has issued an urgent warning to its customers regarding a new, sophisticated phishing campaign designed to steal master passwords and, probably more importantly, users’ passkeys. The campaign itself, which apparently started a few weeks ago, leverages a deceptive social engineering tactic centered on the company’s “legacy inheritance” feature. The infrastructure and domains used in the attack point to CryptoChameleon, a financially motivated threat group also tracked as UNC5356.
The attack itself begins with a phishing email sent to LastPass users. This email falsely claims that a family member has requested emergency access to their LastPass vault by uploading a death certificate. This tactic is designed to weaponize LastPass’s legitimate Emergency Access feature, which allows a designated individual to gain access to a user’s vault after a specified waiting period in the event of the account holder’s death or incapacitation. It’s a genuinely useful feature in real-life since it allows specific family members or trusted individuals to get into accounts.
To add a layer of authenticity to the whole thing, the fabricated request includes a fake “agent ID” number. The point of the email, like typical phishing emails, is to create a sense of urgency, prompting the recipient—who is, of course, not deceased—to immediately cancel the fraudulent request by clicking a link. From there, like in other phishing attacks, you’re redirected to a fake login page for LastPass, where users give up their master passwords and hand them to their attackers. LastPass also reports that in some instances, the threat actors have followed up with “vishing,” or voice phishing. Attackers reportedly call victims directly, posing as LastPass staff members. These impostors then use social engineering over the phone to guide the alarmed user to the phishing site and pressure them into entering their credentials.
Since LastPass stores passkeys now, those are being targeted as part of this attack, as evidenced by some of the domains used by the attackers.
This is not the first time LastPass has had an issue like this. A major 2022 data breach saw attackers successfully stole encrypted vault backups. The 2022 breach was later linked to a series of targeted attacks against individuals, resulting in the theft of approximately $4.4 million in cryptocurrency after attackers successfully brute-forced the master passwords of specific victims.
Source: Bleeping Computer