{"id":5540,"date":"2025-10-24T23:29:04","date_gmt":"2025-10-24T23:29:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5540"},"modified":"2025-10-24T23:29:04","modified_gmt":"2025-10-24T23:29:04","slug":"scammers-try-to-trick-lastpass-users-into-giving-up-credentials-by-telling-them-theyre-dead","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5540","title":{"rendered":"Scammers try to trick LastPass users into giving up credentials by telling them they\u2019re dead"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Are you sure you\u2019re still alive? If so, you may fall for a phishing scam aimed at getting the master login passwords of LastPass password manager users.<\/p>\n<p>OK, this sounds weird, but in some ways it isn\u2019t. If a person dies, their immediate family may not know how to get into the deceased\u2019s password manager, and may contact the vendor asking for access. Scammers suspected of being part of the\u00a0CryptoChameleon cyber criminal group are trying to take advantage of that by sending oddly-worded phishing messages to LastPass customers.<\/p>\n<p>The goal, presumably, is not only to get LastPass login credentials, but also to access the user\u2019s cryptocurrency wallet and drain its contents.<\/p>\n<p>On Friday, LastPass <a href=\"https:\/\/blog.lastpass.com\/posts\/possible-cryptochameleon-social-engineering-campaign-targeting-lastpass-customers-and-more\" target=\"_blank\" rel=\"noopener\">sent a warning to customers<\/a> about the phishing campaign, which began in the middle of this month, because the messages are spoofing the LastPass domain to appear to come from the company.<\/p>\n<p>The subject line reads \u2018Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED),\u2019 and the message begins: \u201cA death certificate was uploaded by a family member to regain access to the LastPass account of &lt;victim\u2019s name&gt;. If you have not passed away and you believe that this is a mistake, please reply to this email with \u2018Stop.\u2019\u201d<\/p>\n<p>The email says that a support case has been opened to execute the request, and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority.\u00a0<\/p>\n<p>It also includes a link to cancel the request, which in fact directs the intended victim to an attacker-controlled URL where the victim is asked to enter their LastPass master password, in an attempt to harvest their credentials.<\/p>\n<p>The email concludes with the statement \u201cYour security is our top priority. Never share your master password with anyone \u2013 including us!\u201d\u00a0<\/p>\n<p>In some cases, a threat actor has also phoned people, claiming to be from LastPass and urging them to go to the phishing site and enter their master password.<\/p>\n<p>In its alert, LastPass reminded users that it never asks for their master password.<\/p>\n<h2 class=\"wp-block-heading\">A tricky one to prevent<\/h2>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/dbshipley\/\" target=\"_blank\" rel=\"noopener\">David Shipley<\/a>, head of Canadian-based employee security awareness firm Beauceron Security, called the pitch \u201cthe most creative\u201d phishing lure he\u2019s seen this year.<\/p>\n<p>\u201cHave to wonder if they used AI to come up with the concept,\u201d he added. \u00a0<\/p>\n<p>However, <a href=\"https:\/\/blog.knowbe4.com\/author\/roger-grimes\" target=\"_blank\" rel=\"noopener\">Roger Grimes<\/a>, data-driven defense CISO advisor at KnowBe4, said it\u2019s \u201cfar from\u201d the oddest phishing lure he\u2019s seen; social engineering is involved in up to 90% of all successful hacks, he said in an email. <\/p>\n<p>\u201cIn this case, the social engineering hack was in convincing the user to download malware,\u201d he said. \u201cThat\u2019s a tricky one to prevent. I always tell people to learn the following and practice it religiously: If you receive an unexpected message asking you to do something you\u2019ve never done before, at least for that sender, research the request using known trusted methods before performing. That will save you in 99% of social engineering scams, including this one.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Staff should be using MFA<\/h2>\n<p>CSOs and IT managers should ensure that any password managers their employees use have phishing-resistant multifactor authentication or require an additional login factor, so if staff fall for a scam like this, the scammer can\u2019t log in just using stolen credentials, Grimes said.<\/p>\n<p>If the corporate approved password manager doesn\u2019t allow MFA for logging into the app, it should have some additional login factor \u2013 for example, making the employee provide other confidential information that is far harder to obtain.\u00a0<\/p>\n<p>Combating phishing requests for password manager credentials requires a combination of user education and adding friction to the logins by requiring more than just the master password and MFA to access accounts or add new devices, said Shipley, who pointed out that some other password management providers require access to a secret key in addition to a master password to add access to a new device.<\/p>\n<p>IT leaders should be\u00a0sending an e-mail blast to employees to let them know about the scam, linking to the LastPass blog, and encourage them to report any e-mails that look as though they\u2019re coming from LastPass, he said.<\/p>\n<p>The LastPass warning includes suspicious IP addresses and URLs as references for infosec leaders. It has taken down the initial phishing site.<\/p>\n<h2 class=\"wp-block-heading\">Scam going after \u2018a broad user base\u2019<\/h2>\n<p>LastPass wouldn\u2019t disclose to <em>CSO<\/em> how many, if any, customers fell for this scam.<\/p>\n<p>Asked if the campaign is targeting enterprise customers as well as consumers, a representative from the LastPass threat intelligence, mitigation and escalation team said it is targeting \u201ca broad user base.\u201d<\/p>\n<p>CSOs and IT leaders should warn employees not to click on emails with the subject line \u201cLegacy Request Opened,\u201d the spokesperson said, and to report suspicious emails or phone calls claiming to be from LastPass.<\/p>\n<p>According to the LastPass warning, the URL associated with this campaign has been linked by Google Threat Intelligence with the known cybercriminal group CryptoChameleon (also known as UNC5356). The group is associated with targeting of cryptocurrency exchanges and users with the intent to steal cryptocurrency. The group <a href=\"https:\/\/blog.lastpass.com\/posts\/advanced-phishing-kit-adds-lastpass-branding-for-use-in-phishing-campaigns\" target=\"_blank\" rel=\"noopener\">previously leveraged LastPass as part of a phishing kit in April 2024<\/a>.<\/p>\n<p>Other indicators of malicious behavior associated with this campaign, says LastPass, include the threat actors\u2019 use of known bulletproof host NICENIC to host the phishing site, and the attempted direct social engineering, which are again consistent with previous CryptoChameleon behavior<\/p>\n<p>In its advisory, the company also included the indicators of compromise, along with a list of URLs associated with the malicious IP addresses used by the attackers.\u00a0\u00a0<\/p>\n<p>LastPass asks customers to forward any phishing emails or screen captures of texts that are targeting its products to abuse@lastpass.com.<\/p>\n<p><em>This article first appeared on <a href=\"https:\/\/www.computerworld.com\/article\/4078994\/scammers-try-to-trick-lastpass-users-into-giving-up-credentials-by-telling-them-theyre-dead.html\" target=\"_blank\" rel=\"noopener\">Computerworld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Are you sure you\u2019re still alive? If so, you may fall for a phishing scam aimed at getting the master login passwords of LastPass password manager users. OK, this sounds weird, but in some ways it isn\u2019t. If a person dies, their immediate family may not know how to get into the deceased\u2019s password manager, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5541,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5540","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5540"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5540"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5540\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5541"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}