No One Uploaded a Death Certificate To Your LastPass Account
Summary
-
Sophisticated phishing targets LastPass users via fake “legacy” emergency access emails.
-
Attackers use fake login pages and vishing to steal master passwords and stored access keys.
-
The group UNC5356 (CryptoChameleon) appears to be behind the campaign; reminiscent of the 2022 LastPass breach and crypto theft.
For some scammers, phishing is an art. As people catch up on diets, they need to find new ways to get people to adhere to their diets. The latter, aimed mostly at LastPass users, is actually quite clever.
LastPass has issued an urgent warning to its customers about a sophisticated new phishing campaign designed to steal users’ master passwords and, probably more importantly, access keys. The campaign itself, which apparently began a few weeks ago, exploits a deceptive social engineering tactic centered around the company’s “legacy legacy” feature. The infrastructure and domains used in the attack point to CryptoChameleon, a financially motivated threat group also tracked as UNC5356.
The attack itself begins with a phishing email sent to LastPass users. This email falsely claims that a family member requested emergency access to their LastPass vault by uploading a death certificate. This tactic is designed to weaponize LastPass’ legitimate emergency access feature, which allows a designated individual to access a user’s vault after a specified waiting period in the event of the account holder’s death or incapacity. This is a truly useful feature in real life because it allows specific family members or trusted people to access accounts.
To add a layer of authenticity to the mix, the fabricated application includes a fake “agent identification” number. The purpose of the email, like that of traditional phishing emails, is to create a sense of urgency, tricking the recipient (who is of course not deceased) into immediately canceling the fraudulent request by clicking on a link. From there, like in other phishing attacks, you are redirected to a fake login page for LastPass, where users give up their master passwords and hand them over to their attackers. LastPass also reports that in some cases, the threat actors used “vishing” or voice phishing. The attackers allegedly called victims directly, posing as LastPass staff members. These impostors then use social engineering over the phone to guide the alarmed user to the phishing site and trick them into entering their credentials.
Since LastPass now stores passwords, they are targeted in this attack, as evidenced by some of the domains used by the attackers.
This isn’t the first time LastPass has encountered an issue like this. A major data breach in 2022 saw attackers successfully steal encrypted vault backups. The 2022 breach was later linked to a series of targeted attacks against individuals, resulting in the theft of approximately $4.4 million in cryptocurrency after the attackers successfully brute-forced the master passwords of specific victims.
Source: sleeping computer
