Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


              CrytoChameleon Phishing Kit Targets LastPass, Others

   Adam Engst

   In a blog post, [1]LastPass writes:

     LastPass would like to raise awareness to a recent phishing campaign
     affecting our customers related to the CryptoChameleon phishing kit
     which has been associated with crypto thefts.

   Although we no longer use or recommend LastPass (see '[2]LastPass
   Publishes More Details about Its Data Breaches,' 3 March 2023), many
   people still rely on the password management service. If that's you,
   watch out for a phishing call purporting to be from LastPass and
   claiming that your LastPass account has been accessed from a new
   device. The automated call instructs you to press 1 to allow access or
   2 to block it. If you press 2, you're told you'll receive another call
   shortly to 'close the ticket.' When that call comes, from someone
   identifying themselves as a LastPass employee and speaking with an
   American accent, the caller will send you an email that pretends to
   reset access to your account. Of course, it's actually a phishing
   message designed to steal your credentials.

   Ignore all phone calls or text messages purporting to be from LastPass
   or a cryptocurrency firm. Also, never give a password to anyone over
   the phone or enter it on any site to which someone you don't know has
   personally directed you.

   To be clear, LastPass has done nothing wrong here, and other password
   management services may be similarly targeted. At the moment, these
   [3]CryptoChameleon phishing kit attacks don't appear to be particularly
   widespread because of the amount of human interaction necessary.
   CryptoChameleon has been used against employees at the Federal
   Communications Commission and cryptocurrency firms Binance and
   Coinbase, along with cryptocurrency users.

   The real concern comes once sophisticated phishing attacks become
   completely AI-driven. We're already seeing scammers use AI voices (see
   '[4]How To Avoid AI Voice Impersonation and Similar Scams,' 25 January
   2024), and it's easy to imagine a highly directed AI chatbot generating
   the text behind the voice. Our first defense will be Settings > Phone >
   Silence Unknown Callers, but at some point, we'll need an AI
   receptionist to answer all our calls and decide which ones are
   legitimate.

   [5]Read original article

References

   1. https://blog.lastpass.com/posts/2024/04/advanced-phishing-kit-adds-lastpass-branding-for-use-in-phishing-campaigns
   2. https://tidbits.com/2023/03/03/lastpass-publishes-more-details-about-its-data-breaches/
   3. https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit
   4. https://tidbits.com/2024/01/25/how-to-avoid-ai-voice-impersonation-and-similar-scams/
   5. https://blog.lastpass.com/posts/2024/04/advanced-phishing-kit-adds-lastpass-branding-for-use-in-phishing-campaigns

.