LastPass, the popular password management service, has issued an urgent warning to its users about an ongoing social engineering campaign targeting customers through fake reviews on the Chrome Web Store.
The company has discovered that threat actors post fraudulent 5-star reviews for the LastPass Chrome extension, promoting a fake customer support phone number to steal user data.
The scam involves hackers leaving positive reviews that urge users experiencing issues with the LastPass app to contact “LastPass online customer service” at a specific phone number.
However, this number is not associated with LastPass; instead, it connects callers to scammers impersonating company representatives.
Lastpass fake review
When users call the fake support number, they are greeted by an individual who asks about their product issues and device information. The scammer then directs callers to a suspicious website, dghelp[.]top, while remaining on the line to encourage engagement with the site.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
Fake Web Store Reviews
These fake support numbers are being disseminated not only through Chrome extension reviews but also on various online platforms that allow user-generated content.
LastPass is actively working to disrupt this campaign by removing fake reviews and taking down phishing websites.
The company emphasizes that these reviews are fraudulent and warns users to be cautious, as the usernames associated with the reviews may change, but the text has remained consistent.
To protect themselves, LastPass users are reminded that the company will never ask for their master password.
For legitimate customer support, users should only use the official LastPass website. The company encourages users to exercise caution and report any suspicious emails or phone numbers to abuse@lastpass.com.
This latest security threat comes in the wake of previous cyberattacks on LastPass, including significant breaches in 2022 that resulted in the theft of customer data and source code.
As the company continues to rebuild trust with its user base, this new scam highlights the ongoing challenges in maintaining cybersecurity in the face of increasingly sophisticated social engineering tactics.
