A strange new phishing scam is trying to trick LastPass users into giving away their master passwords. The scam plays on a sensitive situation—when someone passes away, their family might struggle to access their password manager. Scammers are taking advantage of this by sending fake messages that look like they come from LastPass, hoping to steal login details and access cryptocurrency wallets.

The scam started earlier this month, and LastPass recently issued a warning to its customers. The fake emails have a subject line that reads “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).” The message claims that a family member uploaded a death certificate to gain access to the user’s account. It also suggests replying if the user is still alive, which is meant to confuse and lure them into clicking malicious links.

How the Scam Works

The email says a support case has been opened to handle this supposed request. It includes fake details like an agent ID, case date, and priority level, making it look official. There’s also a link to cancel the request. But that link takes victims to a fake website controlled by scammers. If someone clicks it and enters their master password, the attackers capture their login details.

The message ends with a warning about never sharing your master password, but that doesn’t stop scammers from trying to trick users. Some scammers have even called victims pretending to be from LastPass, urging them to visit the fake site and enter their passwords. LastPass emphasizes that they never ask users for their master password, whether by email or phone.

The Threat Behind the Phishing

Cybercriminals suspected of being part of the CryptoChameleon group are behind this scam. They’ve targeted cryptocurrency exchanges and users before, and now they’re going after LastPass customers. The group has previously used LastPass phishing kits to steal credentials, and they continue to use sophisticated tactics, including hosting malicious sites on known bulletproof servers like NICENIC.

Security experts say this scam is one of the most creative they’ve seen this year. Some wonder if AI technology helped craft the message, making it more convincing. But others point out that social engineering—tricking people into doing something they shouldn’t—is the real challenge. Up to 90% of successful hacks involve some form of social engineering. That’s why experts recommend always verifying unexpected requests, especially those asking for sensitive information.

How to Protect Yourself and Your Company

The best defense against these scams is user education. Employees should be told to be cautious about any unexpected messages asking for login info. Before clicking links or replying, they should verify the request through trusted channels. IT managers should ensure that password managers used by staff have strong security features like phishing-resistant multi-factor authentication (MFA). If MFA isn’t available, additional login steps—like requesting confidential info—can add extra protection.

Organizations can also add layers of security by requiring more than just a master password and MFA to access accounts or set up new devices. Some password managers demand a secret key or other verification steps, making it harder for scammers to succeed. Sending out company-wide alerts about this scam and reminding staff to report suspicious emails is another key step. LastPass has provided indicators of the malicious URLs and IP addresses involved, helping security teams identify threats quickly.

What to Do If You Encounter the Scam

LastPass urges customers to forward any suspicious emails or screenshots of texts targeting their service to abuse@lastpass.com. The company confirms that it has already taken down the malicious website used in this campaign. While it hasn’t disclosed how many customers might have fallen for the scam, it states that the campaign targets a broad user base, including both individual and enterprise users.

Security experts warn that phishing campaigns like this can be very convincing, especially when they involve emotional triggers like death and inheritance. It’s crucial to stay vigilant, never share your master password, and always verify requests from official sources. Remember, no matter how official a message appears, if you’re asked for sensitive information unexpectedly, take a step back and confirm its legitimacy through trusted channels. Staying cautious now can save you from losing access or money in the long run.

Inspired by

• https://www.computerworld.com/article/4078994/scammers-try-to-trick-lastpass-users-into-giving-up-credentials-by-telling-them-theyre-dead.html

Sources

• gmpg.org
• lastpass.com
• knowbe4.com
• lastpass.com
• podigee.com