Scammers try to trick LastPass users into giving up credentials by telling them they’re dead

Are you sure you’re still alive? If so, you may fall for a phishing scam aimed at getting the master login passwords of LastPass password manager users.

OK, this sounds weird, but in some ways it isn’t. If a person dies, their immediate family may not know how to get into the deceased’s password manager, and may contact the vendor asking for access. Scammers suspected of being part of the CryptoChameleon cyber criminal group are trying to take advantage of that by sending oddly-worded phishing messages to LastPass customers.

The goal, presumably, is not only to get LastPass login credentials, but also to access the user’s cryptocurrency wallet and drain its contents.

On Friday, LastPass sent a warning to customers about the phishing campaign, which began in the middle of this month, because the messages are spoofing the LastPass domain to appear to come from the company.

The subject line reads ‘Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED),’ and the message begins: “A death certificate was uploaded by a family member to regain access to the LastPass account of. If you have not passed away and you believe that this is a mistake, please reply to this email with ‘Stop.’”

The email says that a support case has been opened to execute the request, and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority. 

It also includes a link to cancel the request, which in fact directs the intended victim to an attacker-controlled URL where the victim is asked to enter their LastPass master password, in an attempt to harvest their credentials.

The email concludes with the statement “Your security is our top priority. Never share your master password with anyone – including us!” 

In some cases, a threat actor has also phoned people, claiming to be from LastPass and urging them to go to the phishing site and enter their master password.

In its alert, LastPass reminded users that it never asks for their master password.

A tricky one to prevent

David Shipley, head of Canadian-based employee security awareness firm Beauceron Security, called the pitch “the most creative” phishing lure he’s seen this year.

“Have to wonder if they used AI to come up with the concept,” he added.  

However, Roger Grimes, data-driven defense CISO advisor at KnowBe4, said it’s “far from” the oddest phishing lure he’s seen; social engineering is involved in up to 90% of all successful hacks, he said in an email.

“In this case, the social engineering hack was in convincing the user to download malware,” he said. “That’s a tricky one to prevent. I always tell people to learn the following and practice it religiously: If you receive an unexpected message asking you to do something you’ve never done before, at least for that sender, research the request using known trusted methods before performing. That will save you in 99% of social engineering scams, including this one.”

Staff should be using MFA

CSOs and IT managers should ensure that any password managers their employees use have phishing-resistant multifactor authentication or require an additional login factor, so if staff fall for a scam like this, the scammer can’t log in just using stolen credentials, Grimes said.

If the corporate approved password manager doesn’t allow MFA for logging into the app, it should have some additional login factor – for example, making the employee provide other confidential information that is far harder to obtain. 

Combating phishing requests for password manager credentials requires a combination of user education and adding friction to the logins by requiring more than just the master password and MFA to access accounts or add new devices, said Shipley, who pointed out that some other password management providers require access to a secret key in addition to a master password to add access to a new device.

IT leaders should be sending an e-mail blast to employees to let them know about the scam, linking to the LastPass blog, and encourage them to report any e-mails that look as though they’re coming from LastPass, he said.

The LastPass warning includes suspicious IP addresses and URLs as references for infosec leaders. It has taken down the initial phishing site.

Scam going after ‘a broad user base’

LastPass wouldn’t disclose to CSO how many, if any, customers fell for this scam.

Asked if the campaign is targeting enterprise customers as well as consumers, a representative from the LastPass threat intelligence, mitigation and escalation team said it is targeting “a broad user base.”

CSOs and IT leaders should warn employees not to click on emails with the subject line “Legacy Request Opened,” the spokesperson said, and to report suspicious emails or phone calls claiming to be from LastPass.

According to the LastPass warning, the URL associated with this campaign has been linked by Google Threat Intelligence with the known cybercriminal group CryptoChameleon (also known as UNC5356). The group is associated with targeting of cryptocurrency exchanges and users with the intent to steal cryptocurrency. The group previously leveraged LastPass as part of a phishing kit in April 2024.

Other indicators of malicious behavior associated with this campaign, says LastPass, include the threat actors’ use of known bulletproof host NICENIC to host the phishing site, and the attempted direct social engineering, which are again consistent with previous CryptoChameleon behavior

In its advisory, the company also included the indicators of compromise, along with a list of URLs associated with the malicious IP addresses used by the attackers.  

LastPass asks customers to forward any phishing emails or screen captures of texts that are targeting its products to abuse@lastpass.com.