CryptoChameleon is a phishing-as-a-service kit that makes it easier than ever for cybercriminals to create convincing phishing campaigns. Criminals often use it to impersonate reputable companies to steal passwords, account information, and other sensitive data.
A recent scam using CryptoChameleon targets LastPass, a popular password manager. Scammers pretend to be from LastPass, starting with seemingly authentic support calls. They later send follow-up emails with links to fake login pages, designed to look like legitimate LastPass sites. Once victims enter their master passwords on these fraudulent pages, scammers can access their password vaults and potentially lock them out of their accounts.
Reputable companies will never ask for your master passwords through phone calls, emails, or text messages. To protect yourself from these scams, remember to:
- Hang up immediately if you receive a suspicious call claiming to be from LastPass or another reputable company.
- Do not press any options in automated messages or clicking on links in emails from unfamiliar sources.
- Report suspicious activity to the reputable company, including screenshots of suspect text messages and forwarded emails.
