LastPass, a leading password management solution provider, has uncovered a sophisticated phishing campaign targeting its users through elaborately crafted fake support reviews. This latest cybersecurity threat demonstrates an advanced social engineering approach, combining fraudulent Chrome Web Store reviews with malicious remote access tactics.
Anatomy of the Social Engineering Attack
The threat actors have implemented a multi-stage attack vector, beginning with fake five-star reviews on the LastPass Chrome extension. These reviews contain a fraudulent technical support phone number (805-206-2892) designed to lure unsuspecting users into contacting malicious operators. When users call this number, they are connected with threat actors posing as LastPass support representatives who direct them to a malicious domain dghelp[.]top.
Technical Infrastructure and Malware Deployment
The attack’s technical framework reveals sophisticated planning and execution. Upon visiting the fraudulent website, victims are prompted to download ConnectWise ScreenConnect, a legitimate remote access tool that attackers exploit for malicious purposes. Security researchers have identified command-and-control communications through two primary domains: molatorimax[.]icu and n9back366[.]stream, initially linked to Ukrainian IP infrastructure before being obscured behind Cloudflare services.
Broader Impact and Connected Campaigns
Investigation into this phishing operation has revealed its connection to a larger cybercriminal enterprise. The same phone number appears in fraudulent support advertisements targeting users of multiple high-profile services, including:
– Amazon
– Adobe
– Netflix
– PayPal
This pattern suggests a coordinated effort to exploit user trust across various digital platforms.
Security Recommendations and Best Practices
To protect against such sophisticated social engineering attacks, security experts recommend implementing several critical safeguards:
– Verify support contact information exclusively through official company websites
– Never install remote access software at the request of phone support
– Enable multi-factor authentication on all sensitive accounts
– Report suspicious reviews and support numbers to platform administrators
The emergence of this sophisticated phishing campaign underscores the evolving nature of cyber threats targeting password management solutions. Users must maintain vigilance and verify all support interactions through official channels, as legitimate companies never request remote system access through third-party websites or unauthorized support numbers. Organizations should regularly update their security awareness training to include recognition of these advanced social engineering tactics.
