LastPass is warning about an ongoing campaign where scammers are writing reviews for its Chrome extension to promote a fake customer support phone number. However, this phone number is part of a much larger campaign to trick callers into giving scammers remote access to their computers.
LastPass is a popular password manager that utilizes a LastPass Chrome extension to generate, save, manage, and autofill website passwords.
Threat actors are attempting to target a large swath of the company's user base by leaving 5-star reviews with a fake LastPass customer support number.
These reviews urge users facing any problems with the app to contact the LastPass online customer service at 805-206-2892, which is not associated with the vendor.
Instead, a scammer answering the phone will impersonate LastPass and direct individuals to a site at 'dghelp[.]top' where they must enter a code to download a remote support program.
"Individuals calling this fake support number will be greeted by an individual asking what product they are having issues with and then a series of questions regarding whether they are attempting to access LastPass via a computer or a mobile device and what operating system they are using," explains LastPass.
"They will then be directed to the site dghelp[.]top while the threat actor remains on the line and attempts to get the potential victim to engage with the site, exposing their data."
BleepingComputer has discovered that entering the code on this page will download a ConnectWise ScreenConnect agent [VirusTotal] that will give the scammer full access to a person's computer.
From there, one threat actor can keep the caller engaged with questions. At the same time, another scammer uses ScreenConnect in the background to install other programs for unattended remote access, steal data, or steal data from the computer.
BleepingComputer found that the ScreenConnect client will make connections to attacker-controlled servers at molatorimax[.]icu and n9back366[.]stream. Both of these sites have previously been associated with an IP address in Ukraine before being hidden behind Cloudflare.
LastPass users are reminded never to share their master password with anyone, not even legitimate customer support, as this would private access to all of the passwords and data stored in LastPass vaults.
Linked to a larger scam campaign
It has been learned that the phone number associated with the fake LastPass support center is linked to a much larger campaign.
The phone number, 805-206-2892, was also found promoted as a support number for numerous other companies, including Amazon, Adobe, Facebook, Hulu, YouTube TV, Peakcock TV, Verizon, Netflix, Roku, PayPal, Squarespace, Grammarly, iCloud, Ticketmaster, and Capital One.
These fake support numbers are posted not only to Chrome extension reviews but also to sites that allow anyone to create content, such as company forums and Reddit.
While many of these posts are taken down as they are created, others are still available, with new ones created throughout the day.