Security Advisory: Ongoing Scammer Campaign Exploiting LastPass Chrome Extension Reviews

LastPass users are being targeted by a new scam campaign leveraging fake reviews on the LastPass Chrome extension. Threat actors are leaving fraudulent 5-star reviews that promote a fake customer support phone number. This campaign aims to deceive users into granting remote access to their devices, enabling attackers to steal sensitive information.

The campaign is part of a broader scheme, also targeting users of other major services such as PayPal, Amazon, and Netflix.

Ongoing Scammer Campaign Exploiting LastPass Chrome Extension Reviews Technical Overview

The scam involves multiple steps:

1. Fake Reviews:
   • Threat actors post 5-star reviews on the LastPass Chrome extension, embedding a fraudulent customer support number.
2. Phishing via Phone:
   • When victims call the fake support number(805-206-2892), scammers impersonate LastPass representatives and direct them to visit a malicious site: dghelp[.]top.
3. Remote Access Installation:
   • The site prompts users to enter a code, triggering the download of a remote support program powered by ConnectWise ScreenConnect.
   • Once installed, this tool provides scammers with full control over the victim’s device.
4. Data Exfiltration:
   • Attackers maintain engagement with victims while simultaneously using remote access to install additional software, steal credentials, and exfiltrate data.
5. Associated Infrastructure:
   • The remote access client connects to attacker-controlled servers (molatorimax[.]icu, n9back366[.]stream), previously linked to malicious activity.
6. Broader Campaign:
   • The same fraudulent phone number is used to impersonate customer support for numerous well-known brands across various platforms, including social media forums and company websites.

What We Suggest to Mitigate Ongoing Scammer Campaign Exploiting LastPass Chrome Extension Reviews

For Users:

• Do not engage with unsolicited support numbers. Only contact LastPass or any other service provider through official channels listed on their website.
• Avoid installing software or entering codes from unverified sources.
• Be cautious of Chrome extension reviews. Fake reviews can mislead users into engaging with fraudulent services.
• Verify URLs. Always check for legitimacy before visiting support sites or entering sensitive information.
• Monitor your LastPass vault. Regularly review saved credentials and enable two-factor authentication (2FA) where possible.

For Organizations:

• Educate employees and users on recognizing scams. Provide awareness training on common phishing tactics.
• Regularly monitor and audit third-party reviews and user comments. Implement alerts for potentially harmful content associated with your brand.
• Report fraudulent activity. Notify relevant platforms, including Chrome Web Store and social media, to remove fake reviews and posts.
• Implement threat detection. Utilize endpoint protection tools to identify unauthorized remote access tools like ScreenConnect.
• Collaborate with authorities. Share intelligence with law enforcement and cybersecurity organizations to take down malicious infrastructure.