Fake Chrome web store reviews have been directing people to a call center where they will be scammed.
This was reported by LastPass on October 30th. Hackers were submitting fake reviews to the LastPass Chrome web store app page in order to trick people into calling a malicious call center.
Chrome Web Store
It works like this: A person has a problem with an app. They use Google to look up the customer support number to call and wind up on the Chrome Web Store where they see reviews by other people who are getting help by calling this special number.
Anyone calling that number will be directed to a special site where they will be asked to enter their username and password.
And you can guess what happens next. Yep, they have just had their credentials stolen.
Fake Call Centers
Hackers using fake call centers isn’t new – see this article – but it seems to be getting more and more popular. Forbes even reported how a hacker was using AI-generated deepfakes to work a call scam against Gmail users.
But this new scam is different from the usual. Instead of hackers making thousand of calls daily trying to convince people that they have an issue with something, this scam gets the victim to call the fake call center when they’re having real problems.
Not Just LastPass
And what makes it worse, this scam has moved far beyond LastPass. Bleeping Computer has confirmed that hackers are posting fake reviews for:
- Amazon
- Adobe
- Hulu
- YouTube TV
- Peacock TV
- Verizon
- Netflix
- Roku
- PayPal
- Squarespace
- Grammarly
- iCloud
- Ticketmaster
- Capital One
2FA Doesn’t Always Help
But you have 2FA turned on – You do, don’t you? – so what can the hackers do with your username and password? You’re still safe.
Or so you think you are. Read here how hackers are able to bypass 2FA.
And if you’re looking for a new computer, check out Amazon’s deals here
Companies Are Trying To Help
Google and the targeted companies are removing these fake Chrome Web Store reviews as fast as they can, but some people are finding them and getting scammed before they can be taken down.
If you do need help with a product and want to call the company, avoid the Chrome Web Store. Instead get the number from the product’s real website, not from any third party no matter how trustworthy you think that party is.
And under no circumstances, should you ever give your password to anyone, not even the real company. They will not need it in order to help you.
And no legitimate company will ever ask you for it. Not over the phone or online.
Mike Kosak, senior principal intelligence analyst at LastPass, said: “Please remember that no one at LastPass will ever ask for your master password, If you need customer support, please go directly to our website.”