LastPass is warning about an ongoing marketing campaign the place scammers are writing critiques for its Chrome extension to advertise a pretend buyer assist telephone quantity. Nonetheless, this telephone quantity is a part of a a lot bigger marketing campaign to trick callers into giving scammers distant entry to their computer systems, as found by BleepingComputer.
LastPass is a well-liked password supervisor that makes use of a LastPass Chrome extension to generate, save, handle, and autofill web site passwords.
Risk actors are trying to focus on a big swath of the corporate’s person base by leaving 5-star critiques with a pretend LastPass buyer assist quantity.
These critiques urge customers going through any issues with the app to contact the LastPass on-line customer support at 805-206-2892, which isn’t related to the seller.
Supply: LastPass
As a substitute, a scammer answering the telephone will impersonate LastPass and direct people to a web site at ‘dghelp[.]high’ the place they need to enter a code to obtain a distant assist program.
Supply: BleepingComputer
“Individuals calling this fake support number will be greeted by an individual asking what product they are having issues with and then a series of questions regarding whether they are attempting to access LastPass via a computer or a mobile device and what operating system they are using,” explains LastPass.
“They will then be directed to the site dghelp[.]top while the threat actor remains on the line and attempts to get the potential victim to engage with the site, exposing their data.”
BleepingComputer has found that coming into the code on this web page will obtain a ConnectWise ScreenConnect agent [VirusTotal] that can give the scammer full entry to an individual’s pc.
Supply: BleepingComputer
From there, one menace actor can hold the caller engaged with questions. On the identical time, one other scammer makes use of ScreenConnect within the background to put in different packages for unattended distant entry, steal information, or steal information from the pc.
BleepingComputer discovered that the ScreenConnect consumer will make connections to attacker-controlled servers at molatorimax[.]icu and n9back366[.]stream. Each of those websites have beforehand been related to an IP deal with in Ukraine earlier than being hidden behind Cloudflare.
LastPass customers are reminded by no means to share their grasp password with anybody, not even reliable buyer assist, as this is able to personal entry to all the passwords and information saved in LastPass vaults.
Linked to a bigger rip-off marketing campaign
BleepingComputer has discovered that the telephone quantity related to the pretend LastPass assist middle is linked to a a lot bigger marketing campaign.
The telephone quantity, 805-206-2892, was additionally discovered promoted as a assist quantity for quite a few different firms, together with Amazon, Adobe, Fb, Hulu, YouTube TV, Peakcock TV, Verizon, Netflix, Roku, PayPal, Squarespace, Grammarly, iCloud, Ticketmaster, and Capital One.
Supply: BleepingComputer
These pretend assist numbers are posted not solely to Chrome extension critiques but additionally to websites that permit anybody to create content material, resembling firm boards and Reddit.
Whereas many of those posts are taken down as they’re created, others are nonetheless obtainable, with new ones created all through the day.
