The well-known password manager LastPass posted a warning this week to its blog about a new offering in Apple’s app store.
The app in question, called “LassPass,” had a logo suspiciously similar to LastPass’s and, of course, a very similar name. As the website Bleeping Computer, which first reported on the blog post, suggested, LassPass “was likely created to act as a phishing app and steal credentials.”
The idea, presumably, was for someone to download LassPass and fill it with their passwords, ID numbers, PINs, crypto seed phrases, etc., so that the people behind the app could then take them and use them to log into people’s accounts and steal their identities and their money.
It’s unknown whether anyone fell for it, and by yesterday LassPass had been taken down from the App Store, before this reporter could download it and take it for a test drive.
It proved to be a far smaller security threat than LastPass’s deeply embarrassing 2022 breach — security researchers said some of the information taken by the attackers was used to pull off a series of crypto thefts from people who’d stored their credentials with LastPass.
Like those thefts, this new apparent scam targeted people who were trying to do the right thing and protect their information. And anyone who carelessly downloaded LassPass could offer as a defense that they’d placed their trust in the App Store’s vetting process, which Apple likes to trumpet to justify the steep commission it extracts from app developers.
The creators of LassPass were working from a familiar playbook. Cybercriminals will often lure people onto sites whose urls are slight misspellings of well-known legitimate sites and hope they won’t notice before starting to type in their information — the practice is known as “typosquatting.”
In this case, the name of the scam app rolled off the tongue better than the original, even if it made more sense as the name of a slightly retrograde Scottish dating app.
Reference: Drake Bennett, “Fake LastPass App Targets People Trying to Do the Right Thing,” (Bloomberg.com), Accessed 2/9/2024.