Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
LastPass would like to alert our customers of a current phishing campaign that began in mid-October targeting our users, which has been associated with crypto theft. These phishing emails are being spoofed to appear as if they are coming from the email address “alerts@lastpass[.]com” with the subject line “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).”
Tactics Associated with This Campaign
- The email claims someone within the recipient’s family has opened a request to access the intended victim’s vault as a legacy user by uploading a death certificate.
- The email goes on to include a statement that a live case has been opened and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority, all of which are false.
- The email then includes a link to cancel the request, which in fact directs the intended victim to the URL “https://lastpassrecovery[.]com”, which then asks for the victim to enter their master password in an attempt to phish credentials.
- The email notes the link is unique to the individual and that they should only access their account through that link in a clear attempt to direct the recipient to the phishing site.
- The email states that the intended victim should confirm the email was sent from the spoofed email address, “alerts@lastpass[.]com”.
- Finally, the email concludes with the statement “Your security is our top priority. Never share your master password with anyone - including us!”
Of note, the threat actor has also called recipients of this email, claiming they are representatives of LastPass and urging them to visit the phishing site and enter their master password, bring a more active social engineering element to this campaign.
Partial Screen Capture of Phishing Email
Overview
The URL associated with this campaign has been associated by Google Threat Intelligence with the known cybercriminal group CryptoChameleon (also known as UNC5356). The group is associated with targeting cyprtocurrency exchanges and users with the intent to steal cryptocurrency. The group also previously leveraged LastPass as part of a phishing kit in April 2024. Other indicators of malicious behavior associated with this campaign include the threat actors’ use of known bulletproof host NICENIC to host the phishing site, the attempted direct social engineering, and the inclusion of other URLs attempting to impersonate cryptocurrency sites and Gmail accounts as part of the campaign, which are again consistent with previous CryptoChameleon behavior. In particular, these sites appear to be impersonating primarily Coinbase, Binance, Gmail, Gemini, and Google. We will include the indicators of compromise below, including a list of URLs associated with the malicious IPs.
Passkey Targeting
Of note, several of the phishing sites are clearly intended to target passkeys, reflecting both the increased interest on the part of cybercriminals in passkeys and the increased adoption on the part of consumers. For example, there are numerous variations of “mypasskey[.]info” linked to the malicious IPs. Again, further information can be found below.
What To Do
As we noted above, we have worked hard to disrupt this phishing campaign and have had the initial phishing site taken down. We are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email.
- If you receive a suspicious phone call claiming to be from LastPass, simply hang up and please send us an email with the details of the call to abuse@lastpass.com.
- If you receive a suspicious text claiming to be from LastPass, please send a screen capture of the text to abuse@lastpass.com.
- If you receive an email you believe may be related to phishing, please forward the email as an attachment to abuse@lastpass.com.
Please remember that no one at LastPass will ever ask for your master password.
We will continue to work diligently to protect our customers and take whatever proactive measures we can to disrupt this activity. For more information about how to recognize phishing attempts and suspicious online activity, view Protect Yourself from Social Engineering Attacks. For tips and suggestions for protection against these types of attacks, view Recommendations for Protecting Yourself From Social Engineering Attacks.
Malicious URLs and associated IPs:
“lastpassrecovery[.]com”
Serving IPs:
- 82.27.2[.]198
- 31.59.58[.]163
Email information:
- From: LastPass <alerts@lastpass.com>
- Subject: Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)
Other URLs associated with the malicious IPs:
http://sasg.coinbase-com.info/
https://new.sas-cas-0072.sasg.coinbase-com.info/
http://144-2-13-133.fwd.coinbase-com.info/
http://0-0.coinbase-com.info/
http://coinbase-com.info/
http://010203.coinbase-com.info/
https://824346-coinbase.com/
https://195834-coinbase.com/
http://www.files.mycoinba.se/
http://fwd.coinbase-com.info/
http://195834-coinbase.com/
https://df-apartment.coinbase-com.info/
http://853221-gmail.com/
http://cian.156953coinbase.com/
https://sas-cas-0072.sasg.coinbase-com.info/
http://new.sas-cas-0072.sasg.coinbase-com.info/
https://108-174-4-13.fwd.coinbase-com.info/
http://www.ia.admin.sportsbook.coinbase-com.info/
http://ia.admin.sportsbook.coinbase-com.info/
https://swan-btc.com/
http://eagle.coinbase-com.info/
http://cstudyin.coinbase-com.info/
http://cpanel.eticaret17.coinbase-com.info/
http://canary-finance-modserver-content.g03.coinbase-com.info/
http://raw.coinbase-com.info/
http://users.coinbase-com.info/
http://codeew54384r99vahe.afzal.coinbase-com.info/
http://cdn3327353g3.secure0117.coinbase-com.info/
http://18912-coinbase.com/
http://b3130432.yst.coinbase-com.info/
http://analytics.auth.node-camodemoing.container.toolbar.raw.coinbase-com.info/
http://ddr.test.coinbase-com.info/
http://f63b.cceng.coinbase-com.info/
http://media.g03.coinbase-com.info/
http://av.cc.coinbase-com.info/
http://now.comsivasl.xui.ptlogin2-unauthorized.coinbase-com.info/
http://a.coinbase-com.info/
http://clearance.animeclu15634.coinbase-com.info/
http://plusrewards.com.au.coinbase-com.info/
http://144-2-17-238.fwd.coinbase-com.info/
http://anb4u.coinbase-com.info/
http://comweb3139.coinbase-com.info/
http://kayakerpro.coinbase-com.info/
http://108-174-1-236.fwd.coinbase-com.info/
http://gateway3.test.coinbase-com.info/
http://googledesk-ssl.com/
http://cloudmonitor.ccg13.slc.coinbase-com.info/
http://7w-test-xinfo761te-xserver-com.coinbase-com.info/
http://dev.secure.web4311.coinbase-com.info/
http://stage2d0144.stage.coinbase-com.info/
http://forum.san2invoice.cn.coinbase-com.info/
http://i761bd.coinbase-com.info/
http://ynwp.coinbase-com.info/
http://desktickets-ssl.com/
http://origin-community.alumni.dev.qasas-reg-0057.sasg.coinbase-com.info/
http://taas.mobilenow-05portal.platform.aws.coinbase-com.info/
http://7jdy-n8ny.coinbase-com.info/
http://pinsents.ne13e.coinbase-com.info/
http://ne13e.coinbase-com.info/
http://000extranet.pinsents.ne13e.coinbase-com.info/
http://27954383-coinbase.com/
http://108-174-9-166.fwd.coinbase-com.info/
http://env-358e0272.gcp.coinbase-com.info/
http://okbsok7788.coinbase-com.info/
http://www.18912-coinbase.com/
http://8x8wiki.coinbase-com.info/
http://twittertaporg.coinbase-com.info/
http://wheeya88.coinbase-com.info/
http://maintenance.casino.coinbase-com.info/
http://nzg.coinbase-com.info/
http://www.dev.prod.ultradns.coinbase-com.info/
http://ssl-127-0-0-1-goo-gl.com/
http://518256-coinbase.com/
https://dev.884394-coinbase.com/
http://ggl-desk-line.com/
http://177954coinbase.com/
http://dev.185126-coinbase.com/
http://adsov.coinbase-com.info/
http://www.bigdata.mycoinba.se/
https://kazan.mycoinba.se/
https://paypal-gateway.coinbase-com.info/
https://desktickets-ssl.com/
https://files.mycoinba.se/
https://127253-ledger.com/
http://binancetickets.com/
https://187253-uphold.com/
https://853221-gmail.com/
https://156253-gemini.com/
https://1835304-coinbase.com/
https://helpdesk-google.com/
sasg.coinbase-com.info
0-0.coinbase-com.info
0dc-dozeo.coinbase-com.info
108-174-4-13.fwd.coinbase-com.info
127253-ledger.com
144-2-13-133.fwd.coinbase-com.info
15.bflo.coinbase-com.info
156253-gemini.com
157253-kucoin.com
158253-kraken.com
167253-binance.com
177253-coinbase.com
177954coinbase.com
187253-uphold.com
195023-coinbase.com
195834-coinbase.com
197253-trezor.io
209-64-116-245.coinbase-com.info
2c8nteg.coinbase-com.info
2fnl-nl.is-is.ro-ro.fbjs.coinbase-com.info
518256-coinbase.com
6491770-review-bump-rails-otpkqb.gs-staging.coinbase-com.info
7226119-coinbase.com
7jdy-n8ny.coinbase-com.info
7nl.gw2-c79ci-cwcasersail11.virtualail08.na1.coinbase-com.info
824346-coinbase.com
845223-ledger.com
853221-gmail.com
884394-coinbase.com
8x8xpc.coinbase-com.info
_.mobilenow-05portal.platform.aws.coinbase-com.info
ac.perf.coinbase-com.info
admin.177954coinbase.com
adsupport-google.com
airbnb-actions.coinbase-com.info
airbnbadu.coinbase-com.info
airbnbarenal.coinbase-com.info
airbnbfirm.coinbase-com.info
alfabank.156953coinbase.com
analytics.auth.node-camodemoing.container.toolbar.raw.coinbase-com.info
api.177954coinbase.com
app.f02.qsty.vip.kks.ynwp.coinbase-com.info
apps.177954coinbase.com
aru.coinbase-com.info
auth-cb.com
auth.node-camodemoing.container.toolbar.raw.coinbase-com.info
av.267.coinbase-com.info
avito.auth-cb.com
aws.coinbase-com.info
aws.inst.coinbase-com.info
b.coinbase-com.info
b.i761bd.coinbase-com.info
backend.com.coinbase-com.info
backyard.coinbase-com.info
bcmone.mypasskey.info
bdhcp.coinbase-com.info
bflo.coinbase-com.info
bid-colorparty001ptn.coinbase-com.info
bigdata.mycoinba.se
binancetickets.com
blog.coinbase-com.info
bom7.rilo.coinbase-com.info
bot.156253-gemini.com
brand.coinbase-com.info
cancel-google.com
chineseculturepre.coinbase-com.info
cian.156953coinbase.com
cinco.internal.coinbase-com.info
cmdbywww.cian.156953coinbase.com
co.coinbase-com.info
co.crime-data-explorer.fr.chineseculturepre.coinbase-com.info
coinbase.passkeysetup.com
comsivasl.xui.ptlogin2-unauthorized.coinbase-com.info
confluence.dev.secure.giaitri.coinbase-com.info
cpanel.eticaret17.coinbase-com.info
crh.coinbase-com.info
cs92-ord.coinbase-com.info
customer.coinbase-com.info
dcl5-ord.cs92-ord.coinbase-com.info
ddr.test.coinbase-com.info
desktickets-ssl.com
dev.177954coinbase.com
dev.2c8nteg.coinbase-com.info
dev.aru.coinbase-com.info
dev.loumbxs1419ipmi.coinbase-com.info
dev.mycoinba.se
dev.wyoming.coinbase-com.info
docs.mypasskey.info
doppler-za.coinbase-com.info
dpnewsraidafaee29b171094d70f1daf1be2f4936e1.profile.lax-m.coinbase-com.info
duvvneyvppwww.bcmone.mypasskey.info
e.coinbase-com.info
ec.coinbase-com.info
ejvkcwww.a.cceng.coinbase-com.info
elapse.coinbase-com.info
env-358e0272.gcp.coinbase-com.info
env-784255b0.gcp.coinbase-com.info
epghkwww.ac.perf.coinbase-com.info
eu-central-8stagecomboweb8.aws.inst.coinbase-com.info
eu-west-1.prodaa.coinbase-com.info
f63b.cceng.coinbase-com.info
files.mycoinba.se
fwd.coinbase-com.info
ggl-desk-activity.com
ggl-desk-archive.com
ggl-desk-line.com
gitlab.177253-coinbase.com
googledesk-ssl.com
gs-staging.coinbase-com.info
gw2-c79ci-cwcasersail11.virtualail08.na1.coinbase-com.info
help-coinba.se
helpdesk-google.com
hostmaster.coinbase-com.info
images.mypasskey.info
info.156953coinbase.com
inst.coinbase-com.info
itp.coinbase-com.info
kurallarikaldir.doubleheart.www.coinbase-com.info
lastpassrecovery.com
login.177954coinbase.com
m.177954coinbase.com
mail.195834-coinbase.com
mail.adsupport-google.com
media.156253-gemini.com
megamarket.156953coinbase.com
mta-sts.mypasskey.info
mtf.truaxis.coinbase-com.info
mycoinba.se
mypasskey.info
na1.coinbase-com.info
nas-tenfootui.itp.coinbase-com.info
nieuw.mypasskey.info
now.comsivasl.xui.ptlogin2-unauthorized.coinbase-com.info
passkeysetup.com
perf.coinbase-com.info
portal.177954coinbase.com
prod.ne1.g04.coinbase-com.info
prod.ultradns.coinbase-com.info
qsty.vip.kks.ynwp.coinbase-com.info
ramen.coinbase-com.info
random.auth-cb.com
raw.coinbase-com.info
redditdriverfix.coinbase-com.info
redditmeld.coinbase-com.info
s4.search-skynetcultura.coinbase-com.info
sas-cas-0072.sasg.coinbase-com.info
smtp.7226119-coinbase.com
smtp.adsupport-google.com
sportsbook.coinbase-com.info
ssl-127-0-0-1-goo-gl.com
ssl-192-168-29-122-goo-gl.com
ssl-4-4-192-1-g-o-o-g-l.com
ssl-8-8-9-8-goo-gl.com
stage.mypasskey.info
summary.mypasskey.info
support.auth-cb.com
swan-btc.com
teams.coinbase-com.info
testing.177954coinbase.com
tjqqpcmdbywww.cian.156953coinbase.com
ultradns.coinbase-com.info
users.coinbase-com.info
vghvdsupport.177253-coinbase.com
virtualail08.na1.coinbase-com.info
vishnuvardhan.coinbase-com.info
web4311.coinbase-com.info
webapp-stg.coinbase-com.info
ww3.156953coinbase.com
www.127253-ledger.com
www.156253-gemini.com
www.157253-kucoin.com
www.158253-kraken.com
www.1835304-coinbase.com
www.187253-uphold.com
www.195023-coinbase.com
www.197253-trezor.io
www.27954383-coinbase.com
www.298193-coinbase.com
www.518256-coinbase.com
www.853221-gmail.com
www.884394-coinbase.com
www.airbnbadu.coinbase-com.info
www.alfabank.156953coinbase.com
www.avito.auth-cb.com
www.avito.mycoinba.se
www.bcmone.mypasskey.info
www.binancetickets.com
www.cancel-google.com
www.cmdbywww.cian.156953coinbase.com
www.coinbase-com.info
www.com.manishclubforum.coinbase-com.info
www.confluence.dev.secure.giaitri.coinbase-com.info
www.dev.prod.ultradns.coinbase-com.info
www.eis.customer.coinbase-com.info
www.ggl-desk-archive.com
www.ggl-desk-line.com
www.goldapple.156953coinbase.com
www.googledesk-ssl.com
www.help-coinba.se
www.images.mypasskey.info
www.info.156953coinbase.com
www.mta-sts.mypasskey.info
www.passkeysetup.com
www.random.156953coinbase.com
www.random.auth-cb.com
www.secure.web4311.coinbase-com.info
www.ssh.156953coinbase.com
www.ssl-4-4-192-1-g-o-o-g-l.com
www.ssl-8-8-8-8-goo-gl.com
www.ssl-8-8-9-8-goo-gl.com
www.unsync-trezor.io
www.ztoehcian.156953coinbase.com
wyoming.coinbase-com.info
xshhqabyss2.vip.ssk.ynwp.coinbase-com.info
yahooirak.coinbase-com.info
ycnkmowa.passkeysetup.com
ytygkwww.dcl5-ord.cs92-ord.coinbase-com.info
zkesowww.e.coinbase-com.info
new.sas-cas-0072.sasg.coinbase-com.info
156953coinbase.com
Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
