Evil scam targets LastPass users with fake death certificate claims

News
By published

A fake LastPass email is telling users they died

LastPass
(Image credit: Future)
  • Phishing emails claim victims are dead to steal LastPass master passwords
  • Fake site lastpassrecovery[.]com mimics LastPass to harvest credentials and passkeys
  • CryptoChameleon group behind attack; targets include crypto wallets and passwordless logins

Scammers are trying to get LastPass user master passwords with a devious phishing email scheme concerning their deaths.

The password manager has an inheritance feature - so if a person proves the account owner is deceased, and that they are the closest relative (or otherwise deemed to be granted access to the account), LastPass can comply and hand it over.

However in phishing emails, victims are told that someone has uploaded a death certificate confirming they have passed away, and that unless they act fast it will grant them access to their Vault (an encrypted password storage database, essentially).

CryptoChameleon

“Acting fast” means clicking on a link, and logging into the LastPass account. However, those that rush to do it will not notice that the website they are logging in to is not LastPass, but rather - lastpassrecovery[.]com - a fraudulent landing page propped up only to harvest gullible people’s login credentials.

The threat actor behind this morbid campaign is called CryptoChameleon - they are a known hacking collective specializing in crypto theft.

In the past, the group has been seen targeting Binance wallets, Kraken, Gemini, and other platforms, using fake Okta, Gmail, iCloud, and Outlook sign-in landing pages, as well as passkeys.

Passkeys are a passwordless method of authentication that uses public-key cryptography to verify the person’s identity without storing or typing a password. It is generally considered a lot safer than a password, and many of the world’s biggest tech companies have pushed to replace them entirely.

Obviously, the best way to defend against the attack is to think before you click, and be skeptical of any email messages demanding urgent action.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.