By now you’re probably on high alert every time you get an actual phone call from someone you don’t know. If it isn’t the usual “we’ve been trying to contact you about your car’s extended warranty” recording, then it’s probably someone from “Windows” trying to get you to install a remote access program. If they mix it up a bit and tell you they’re from LastPass, yeah, it’s the same old BS.
Ars Technica reports that phishing scammers have expanded their operations to impersonate the password saving service LastPass. Calls alert users that their account has been accessed from a new location, and they need to press one or two to stop this presumably nefarious hacker. According to an alert from LastPass itself, follow-up calls from real, live humans will then instruct the user to give them their email address, where a phishing message will attempt to steal their real login info.
Once the phishers have the master LastPass password, they instantly lock the real user out and have access to whatever information is saved within. It’s a motherlode of identity theft data, especially since the legitimate user is generally then unable to access the randomly generated passwords they’ve created for dozens or hundreds of sites, including banking and medical info.
LastPass appears to have enough users at this point that it’s become a frequent target for phishing scams, to say nothing of the tempting nature of its all-in-one personal data setup. The company has been frequently hit with high-profile hacks, most recently in 2022. The latest batch is targeting users themselves thanks to the prevalence of ready-made phishing kits such as CryptoChameleon.
LastPass representatives say they’ve been able to shut down the site for the latest phishing attempt as of April 16th, but it seems almost inevitable that the malefactors will simply try again with another URL. Heads up.