TZUTC: -0500   
   MSGID: 1637.consprcy@1:2320/105 2d66097a   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Evil scam targets LastPass users with fake death certificate claims   
      
   Date:   
   Mon, 27 Oct 2025 18:27:00 +0000   
      
   Description:   
   A fake LastPass email is telling users they died, and that a relative is   
   taking over their account.   
      
   FULL STORY   
      
   Scammers are trying to get LastPass user master passwords with a devious   
   phishing email scheme concerning their deaths.    
      
   The password manager has an inheritance feature - so if a person proves the   
   account owner is deceased, and that they are the closest relative (or   
   otherwise deemed to be granted access to the account), LastPass can comply    
   and hand it over.    
      
   However in phishing emails, victims are told that someone has uploaded a    
   death certificate confirming they have passed away, and that unless they act   
   fast it will grant them access to their Vault (an encrypted password storage   
   database, essentially).   
      
   CryptoChameleon    
      
   Acting fast means clicking on a link, and logging into the LastPass account.   
   However, those that rush to do it will not notice that the website they are   
   logging in to is not LastPass, but rather - lastpassrecovery[.]com - a   
   fraudulent landing page propped up only to harvest gullible peoples login   
   credentials.    
      
   The threat actor behind this morbid campaign is called CryptoChameleon - they   
   are a known hacking collective specializing in crypto theft.    
      
   In the past, the group has been seen targeting Binance wallets, Kraken,   
   Gemini, and other platforms, using fake Okta, Gmail, iCloud, and Outlook   
   sign-in landing pages, as well as passkeys.    
      
   Passkeys are a passwordless method of authentication that uses public-key   
   cryptography to verify the persons identity without storing or typing a   
   password. It is generally considered a lot safer than a password, and many of   
   the worlds biggest tech companies have pushed to replace them entirely.    
      
   Obviously, the best way to defend against the attack is to think before you   
   click, and be skeptical of any email messages demanding urgent action.    
      
    Via BleepingComputer    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/evil-scam-targets-lastpass-users-with-f   
   ake-death-certificate-claims   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426