BleepingComputer reports that widely used password management service LastPass is having its customers subjected to a new attack campaign involving the sophisticated CryptoChameleon phishing kit aimed at exfiltrating cryptocurrency assets.
Several social engineering tactics have been leveraged in the campaign, with attackers initially using an 888 number to contact targets regarding unauthorized LastPass account access before making another call impersonating a LastPass employee, who would send a phishing email with a link redirecting to a fraudulent website seeking the targets' master passwords, according to LastPass, which urged its users to be vigilant of suspicious phone calls, SMS messages, and emails amid fears of persistent targeting even after the shut down of the malicious site.
Such a development follows a Lookout report detailing attacks with the phishing kit that targeted the Federal Communications Commission and cryptocurrency platforms Coinbase, Binance, Gemini, and Kraken through spoofed Okta, Microsoft Outlook, Gmail, iCloud, and Twitter websites, among others.