Skip to content

LastPass users are being targeted via CryptoChameleon phishing kit

  • by
  • 3 min read

Photo by Tada Images/

LastPass, a top password management provider, discovered its users were targeted by a sophisticated phishing campaign using the CryptoChameleon phishing-as-a-service kit. This kit, associated with cryptocurrency thefts, empowers cybercriminals to fabricate deceptive login pages mimicking legitimate platforms, presenting a serious threat to user credentials.

The campaign came to LastPass’s attention through collaboration with cybersecurity experts at Lookout, who alerted them to the presence of the CryptoChameleon phishing kit.

This advanced phishing-as-a-service tool enables threat actors to craft counterfeit Single Sign-On (SSO) or login pages with counterfeit branding elements, such as logos and graphics, resembling those of trusted companies.

Such campaigns typically lure victims through various means, including phishing emails, SMS messages, or voice calls (fishing).

LastPass also started rigorous monitoring of the malicious website registered by the threat actors: help-lastpass[.]com to detect any signs of phishing activities. Subsequently, when the researchers confirmed that the domain was a part of the phishing campaign, LastPass collaborated with the network vendors to dismantle it.

A sample of phishing email. | Source: LastPass

The company detected the following tactics employed in this campaign:

  • Spoofed phone calls: Victims received a telephone call from an ‘888’ number informing them that their LastPass account had been compromised. The person then asked users to press 1 or access or 2 to block the account.
  • Follow-up social engineering: Those opting to block access (by pressing “2”) received a follow-up call from a spoofed phone number, with the caller impersonating a legitimate LastPass representative. The caller, often adopting an American accent, then sent a phishing email containing a link to a counterfeit site (help-lastpass[.]com), posing as a tool to reset account access. Unbeknownst to the victims, this link was designed to capture their login credentials.
  • Credential harvesting: Victims who fell prey to the phishing site and entered their master password inadvertently provided threat actors with the means to compromise their LastPass accounts. The attackers then attempted to seize control by altering account settings, including changing primary contact details and the master password itself, effectively locking out the legitimate account owner.

To address this threat effectively, LastPass has established a dedicated email address,, where users can promptly report instances of phishing.

LastPass has been the target of cybercriminals for quite a while now. In October 2023, hackers executed a heist of $4.4 million in cryptocurrency by leveraging stolen LastPass private keys and passwords. Similarly, in August 2022, hackers stole passwords and other information from the company’s vaults.

In the News: Meta adds Llama3-powered AI chatbot to its 4 apps in 13 countries

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here:

Exit mobile version