Identity, Phishing

Attacks with CryptoChameleon phishing kit target LastPass users

A black-and-white drawing of a chameleon wearing a hoody while holding a phone

BleepingComputer reports that widely used password management service LastPass is having its customers subjected to a new attack campaign involving the sophisticated CryptoChameleon phishing kit aimed at exfiltrating cryptocurrency assets.

Several social engineering tactics have been leveraged in the campaign, with attackers initially using an 888 number to contact targets regarding unauthorized LastPass account access before making another call impersonating a LastPass employee, who would send a phishing email with a link redirecting to a fraudulent website seeking the targets' master passwords, according to LastPass, which urged its users to be vigilant of suspicious phone calls, SMS messages, and emails amid fears of persistent targeting even after the shut down of the malicious site.

Such a development follows a Lookout report detailing attacks with the phishing kit that targeted the Federal Communications Commission and cryptocurrency platforms Coinbase, Binance, Gemini, and Kraken through spoofed Okta, Microsoft Outlook, Gmail, iCloud, and Twitter websites, among others.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.