Warning: LastPass Alerts Users to Phishing Scam Using Fake Support Reviews on Chrome Web Store
LastPass, a leading password management platform, has issued a critical warning to users about a social engineering campaign targeting its customer base through deceptive reviews on its Chrome Web Store app page. This new attack involves threat actors submitting fake reviews, aiming to mislead users into calling a fraudulent support number and potentially compromising their sensitive information.
In a public advisory, LastPass explained the mechanics of this scam: “A threat actor appears to be submitting reviews where they direct customers to a fake number controlled by the threat actor.” When unsuspecting users call this number, they are greeted by an individual who poses as LastPass support, asking which device and operating system they are using to access LastPass. Once the attacker gathers this information, they then instruct the caller to visit a phishing website, dghelp[.]top, while staying on the line to encourage further engagement with the malicious site.
LastPass emphasized, “Please remember that no one at LastPass will ever ask for your master password.” Users are advised to avoid calling any support number found outside of the official LastPass website, where legitimate customer support resources are always available.
The LastPass team is actively working to remove the fraudulent reviews and take down the phishing site associated with this scheme. “We are working to disrupt this campaign by having the reviews removed and getting the phishing website taken down,” LastPass assured customers. As of now, LastPass reports that these fake posts are only present on their Chrome Web Store app page, though they advise users to stay vigilant.
To avoid falling victim to this scheme, LastPass advises customers to be on high alert and to follow these critical tips:
- Verify All Support Contact Information: If you need assistance, go directly to lastpass.com rather than relying on reviews or search engine results, which could lead to fraudulent sites or contacts.
- Do Not Share Your Master Password: LastPass will never ask for this information. Sharing it with anyone, even someone claiming to be support, can lead to immediate account compromise.
- Be Cautious of Suspicious Web Pages or Phone Numbers: The usernames and review text on the Chrome Web Store app page may change, but LastPass notes that “the text has been consistent for every review to date.” Users should be wary of consistent, repeated phrasing in reviews and avoid calling any numbers listed therein.
- Report Suspicious Activity: If you encounter emails, numbers, or websites that seem fraudulent, LastPass encourages customers to forward them to abuse@lastpass.com for further investigation.