CryptoChameleon Phishing Kit Targets LastPass, Others
In a blog post, LastPass writes:
LastPass would like to raise awareness to a recent phishing campaign affecting our customers related to the CryptoChameleon phishing kit which has been associated with crypto thefts.
Although we no longer use or recommend LastPass (see “LastPass Publishes More Details about Its Data Breaches,” 3 March 2023), many people still rely on the password management service. If that’s you, watch out for a phishing call purporting to be from LastPass and claiming that your LastPass account has been accessed from a new device. The automated call instructs you to press 1 to allow access or 2 to block it. If you press 2, you’re told you’ll receive another call shortly to “close the ticket.” When that call comes, from someone identifying themselves as a LastPass employee and speaking with an American accent, the caller will send you an email that pretends to reset access to your account. Of course, it’s actually a phishing message designed to steal your credentials.
Ignore all phone calls or text messages purporting to be from LastPass or a cryptocurrency firm. Also, never give a password to anyone over the phone or enter it on any site to which you have been directed by someone you don’t know personally.
To be clear, LastPass has done nothing wrong here, and other password management services may be similarly targeted. Currently, these CryptoChameleon phishing kit attacks don’t appear to be particularly widespread because of the amount of human interaction necessary. CryptoChameleon has been used against employees at the Federal Communications Commission and cryptocurrency firms Binance and Coinbase, along with cryptocurrency users.
The real concern comes once sophisticated phishing attacks like this become completely AI-driven. We’re already seeing scammers use AI voices (see “How To Avoid AI Voice Impersonation and Similar Scams,” 25 January 2024), and it’s easy to imagine a highly directed AI chatbot generating the text behind the voice. Our first defense will be Settings > Phone > Silence Unknown Callers, but at some point, we’ll need an AI receptionist to answer all our calls and decide which ones are legitimate.
Absolutely. AI-driven tools have created a very negative inflection point for security threats, including so-called “social engineering” threats. Unfortunately, responding to these threats can be extremely challenging. In my opinion, it’s going to get much worse before it gets better.
For people who are interested in keeping up to date with the general subject of social engineering threats, I can recommend KnowBe4’s “CyberheistNews” newsletter. It’s written by a vendor of security tools and services, so factor that into what you read, but overall, I find it to be a very useful source of information, written in plain English.
(Disclaimer: I have no connection with KnowBe4 aside from being a reader of its newsletter and a past purchaser of some of its corporate training programs.)