Staff should be using MFA: CSOs and IT managers should ensure that any password managers their employees use have phishing-resistant multifactor authentication or require an additional login factor, so if staff fall for a scam like this, the scammer can’t log in just using stolen credentials, Grimes said.If the corporate approved password manager doesn’t allow MFA for logging into the app, it should have some additional login factor for example, making the employee provide other confidential information that is far harder to obtain. Combating phishing requests for password manager credentials requires a combination of user education and adding friction to the logins by requiring more than just the master password and MFA to access accounts or add new devices, said Shipley, who pointed out that some other password management providers require access to a secret key in addition to a master password to add access to a new device.IT leaders should be sending an e-mail blast to employees to let them know about the scam, linking to the LastPass blog, and encourage them to report any e-mails that look as though they’re coming from LastPass, he said.The LastPass warning includes suspicious IP addresses and URLs as references for infosec leaders. It has taken down the initial phishing site.
Scam going after ‘a broad user base’: LastPass wouldn’t disclose to CSO how many, if any, customers fell for this scam.Asked if the campaign is targeting enterprise customers as well as consumers, a representative from the LastPass threat intelligence, mitigation and escalation team said it is targeting “a broad user base.”CSOs and IT leaders should warn employees not to click on emails with the subject line “Legacy Request Opened,” the spokesperson said, and to report suspicious emails or phone calls claiming to be from LastPass.According to the LastPass warning, the URL associated with this campaign has been linked by Google Threat Intelligence with the known cybercriminal group CryptoChameleon (also known as UNC5356). The group is associated with targeting of cryptocurrency exchanges and users with the intent to steal cryptocurrency. The group previously leveraged LastPass as part of a phishing kit in April 2024.Other indicators of malicious behavior associated with this campaign, says LastPass, include the threat actors’ use of known bulletproof host NICENIC to host the phishing site, and the attempted direct social engineering, which are again consistent with previous CryptoChameleon behaviorIn its advisory, the company also included the indicators of compromise, along with a list of URLs associated with the malicious IP addresses used by the attackers. LastPass asks customers to forward any phishing emails or screen captures of texts that are targeting its products to abuse@lastpass.com.This article first appeared on Computerworld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4079001/scammers-try-to-trick-lastpass-users-into-giving-up-credentials-by-telling-them-theyre-dead-2.html
