LastPass users targeted in phishing attacks good enough to trick even the savvy

Dubbed CryptoChameleon for its focus on cryptocurrency accounts, the kit provides all the resources needed to trick even relatively savvy people into believing the communications are legitimate.

In August of 2022, LastPass revealed that it was one of roughly a dozen targets hit in a serial attack by a single resourceful threat actor.

Early last year, LastPass disclosed a successful breach of an employee’s home computer and a corporate vault that was stored on it.

Last week, LastPass said one of its employees was targeted by a deepfake audio call designed to spoof the voice of company CEO Karim Toubba.

Lookout observed one threat actor encouraging a target by phone to complete the steps needed for the account compromise.

MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks.