LastPass, the popular password management app serving more than 33 million users, recently issued a Fake LastPass App Warning to iOS users. A fake version of its app managed to bypass the Apple App Store’s security review process. The fraudulent app mirrored the original logo and altered the name slightly, changing it to LassPass by dropping a letter.
Parvati Patel created the LassPass app on the Apple App Store. The app was likely designed to steal credentials from unsuspecting users searching for a digital password manager. The goal was to trick people into downloading the fake app and transferring sensitive information such as ID numbers, passwords, and crypto seed phrases. This would enable the threat actors behind the app to access victims’ accounts and steal their money or identities.
It’s unclear how many users, if any, fell victim to this Fake LastPass App Warning. However, it serves as a reminder to always verify app authenticity before downloading and to remain cautious of lookalike apps.
Typosquatting and How To Avoid It
The LassPass phishing attempt is a new take at an old trick known as “typosquatting.” It involves cybercriminals luring people to fake sites by misspelling the original name of a popular site in the hopes that the potential victims will not notice the difference before handing over sensitive information.
The app version of this trick is slightly different because the threat actor is banking on the victims not being able to differentiate between the original app and the fake one.
You can avoid becoming a victim of typosquatting or cloning in mobile app stores by doing the following:
- Click the app URL on the original author’s website. LastPass has links to the original app on their website. Clicking on it instead of trying to find the app yourself on the app store will help you not be a victim to the phishing attack.
- Pay more attention to social proof. LastPass is a company with millions of users. You should be able to differentiate the original app from the fake LassPass on the Apple App Store by looking at metrics like date added, number of downloads, version history, reviews, and more. Don’t download the app if anything looks off.
- Check the app details. Threat actors always make obvious errors in the attempt to game the security checks on the various app stores. A typo, incomplete app description, grammatical blunders, and failure to use a business name as the app developer are dead giveaways of the scam.
Should Users Expect Another LassPass on the Apple App Store?
Apple boasts a robust security review system for weeding out fake and malware-ridden apps on their app store. Thus, the latest breach raised many eyebrows. It’s still unclear how LassPass got on the Apple App Store, but we’ll likely see another attempt like this.
Future threat actors might not clone LastPass again. Still, they may attempt to piggyback off the popularity of the thousands of other apps trusted by millions of users around the globe. Make sure to proceed with caution if anything seems out of the ordinary.
Used with permission from Article Aggregator