LastPass issued a warning about a social engineering campaign involving fake reviews on the company's Google Chrome Web Store page. These misleading reviews attempt to lure users into contacting a fraudulent support number, where attackers try to obtain sensitive information.
The fake reviews, spotted by LastPass staff and
highlighted in a statement on the password manager's blog space, seem to be a part of a larger phishing scheme where cybercriminals attempt to harvest personal information from unsuspecting LastPass users.
In the campaign, attackers post seemingly legitimate reviews on the LastPass extension's Chrome Web Store page. These reviews encourage users facing “issues” with LastPass to call a provided support number. Customers dialing this number encounter an impersonator who starts by asking about the user's device type, operating system, and whether they are accessing LastPass on a mobile device or computer.
Fake user reviews under the LastPass app page on Google Chrome Web Store
LastPass
Following this initial exchange, the caller is directed to visit dghelp[.]top, a malicious site under the attacker's control. Throughout this interaction, the threat actor stays on the line, guiding victims through steps that lead to exposing their sensitive information.
LastPass, a prominent
password management service with a large user base, is actively working to mitigate the impact of this campaign. The company reported it is coordinating efforts to have these malicious reviews removed from the Chrome Web Store and seeking to have the dghelp[.]top phishing site taken down.
It advised users to be vigilant, as these fake reviews could continue to appear with altered usernames but with a consistent script aimed at tricking users into calling the fraudulent support number.
LastPass emphasized that legitimate support staff will never ask for a user's master password or direct them to unofficial websites. Customers seeking support should rely solely on the official LastPass website, lastpass.com, or verify any suspicious communication by reporting it to
abuse@lastpass.com.
To avoid falling victim to similar scams, LastPass users are advised to exercise caution when interacting with online support prompts and scrutinize any unsolicited requests for information. LastPass customers should:
- Avoid calling phone numbers listed in Web Store reviews or external forums.
- Always verify LastPass communications through official channels.
- Never disclose their LastPass master password over the phone or email.