LastPass Users Targeted in Sophisticated Phishing Scam Using CryptoChameleon Kit

The phishing campaign involves fake calls and emails, tricking users into revealing their master passwords.

LastPass has issued a warning about a phishing scam where users are tricked by fake support calls and emails into providing their master passwords.
The scam, known as CryptoChameleon, uses a phishing-as-a-service kit to create convincing fake login pages for LastPass.
Victims are contacted by phone with instructions to press '1' or '2' to manage access from new devices, leading to phishing links.
The fraudulent domain 'help-lastpass.com' was used to steal credentials, but has since been taken down.
Users are advised to hang up on suspicious calls and verify through official LastPass channels before taking any action.