CyberInsider

Reliable cybersecurity news and resources

General

Guides

About

Cyber Insider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

LastPass Warns of Phishing Scam via Fake Chrome Store Reviews

By Leave a Comment
LastPass Warns of Phishing Scam via Fake Chrome Store Reviews

LastPass issued a warning about a social engineering campaign involving fake reviews on the company's Google Chrome Web Store page. These misleading reviews attempt to lure users into contacting a fraudulent support number, where attackers try to obtain sensitive information.

The fake reviews, spotted by LastPass staff and highlighted in a statement on the password manager's blog space, seem to be a part of a larger phishing scheme where cybercriminals attempt to harvest personal information from unsuspecting LastPass users.

In the campaign, attackers post seemingly legitimate reviews on the LastPass extension's Chrome Web Store page. These reviews encourage users facing “issues” with LastPass to call a provided support number. Customers dialing this number encounter an impersonator who starts by asking about the user's device type, operating system, and whether they are accessing LastPass on a mobile device or computer.

Fake user reviews under the LastPass app page on Google Chrome Web Store
LastPass

Following this initial exchange, the caller is directed to visit dghelp[.]top, a malicious site under the attacker's control. Throughout this interaction, the threat actor stays on the line, guiding victims through steps that lead to exposing their sensitive information.

LastPass, a prominent password management service with a large user base, is actively working to mitigate the impact of this campaign. The company reported it is coordinating efforts to have these malicious reviews removed from the Chrome Web Store and seeking to have the dghelp[.]top phishing site taken down.

It advised users to be vigilant, as these fake reviews could continue to appear with altered usernames but with a consistent script aimed at tricking users into calling the fraudulent support number.

LastPass emphasized that legitimate support staff will never ask for a user's master password or direct them to unofficial websites. Customers seeking support should rely solely on the official LastPass website, lastpass.com, or verify any suspicious communication by reporting it to abuse@lastpass.com.

To avoid falling victim to similar scams, LastPass users are advised to exercise caution when interacting with online support prompts and scrutinize any unsolicited requests for information. LastPass customers should:

  • Avoid calling phone numbers listed in Web Store reviews or external forums.
  • Always verify LastPass communications through official channels.
  • Never disclose their LastPass master password over the phone or email.

About Alex Lekander

Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *