Password manager LastPass has warned its users about a new phishing attack launched by the hacker group CryptoChameleon.
The media outlet reports that the attack dates back to mid-October. The attackers exploited LastPass's "Emergency Access" feature to send emails to users, falsely claiming that a family member had uploaded a death certificate and requesting access to their password vault.
To enhance credibility, the emails even included a fake agent ID number and instructed the recipient to click a link to cancel the request if they were still alive, luring users into the trap.
Clicking the link in the email redirected users to a fraudulent website called lastpassrecovery[.]com. This website, which mimics the official LastPass login page, asked users to enter their master password. Once the user entered and submitted their master password, the attackers compromised their entire password vault.
LastPass also noted that in some cases, attackers even proactively called victims, impersonating LastPass employees and directing them to enter their credentials on phishing websites, a double-edged attack.
Compared to the attacks launched by the group in April of this year, this campaign is both more widespread and more sophisticated. A key upgrade is that the attackers' targets have expanded from traditional passwords to include passkeys.
LastPass discovered that CryptoChameleon used phishing domains specifically targeting passkeys, such as mypasskey[.]info and passkeysetup[.]com. This suggests that as mainstream password managers began supporting and syncing passkeys, hackers have quickly adapted their strategies to directly target this perceived more secure passwordless authentication technology.
IT Home, citing a blog post, stated that CryptoChameleon (also known as UNC5356), the group behind this attack, is a financially motivated threat group specializing in stealing cryptocurrency using phishing kits. The organization has successfully attacked users of multiple cryptocurrency platforms such as Binance and Coinbase by forging login pages of well-known services such as Okta, Gmail, and iCloud.
