(Credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)
A new phishing campaign targeting LastPass involves bad actors faking support email threads to get you to share your vault password. It’s an important reminder to never share your password manager's credentials with anyone, not even support staff.
LastPass noticed that a malicious actor launched a new social engineering campaign in early March to trick people into sharing key account details. This follows a significant but different phishing campaign targeting LastPass in January.
This new tactic sees attackers forwarding fake email chains to make it seem like someone else is trying to take over their account. Through display-name spoofing, attackers impersonate LastPass support staff and send messages suggesting urgent action is needed to protect the account. "The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it," LastPass says.
The emails ask the user to take some kind of action, such as disconnecting or locking their vault. It normally doesn’t prompt for a password in the email; instead, it links to a fake website that asks the user to log in to complete the action. Those links lead to a fake website set up to harvest their vault details, which can then be used to access the real password manager.
The emails come from various addresses and domain names. LastPass has detailed the ones it has found so far, so if you come across emails that you think may be part of this phishing campaign, you can cross-reference them here.
LastPass says it’s working with third-party partners to take down the fake sites, but it may still see new ones pop up. It also recommends using its abuse@lastpass.com email to submit anything you think may be a scam.