LastPass on Monday revealed it has disrupted a “widespread” phishing campaign targeting its users.
LastPass users started receiving phishing emails on Sept. 13, urging them to verify their personal details or risk losing access to some features of the password manager. LastPass said 87 of its employees were also targeted in the “pervasive and convincing phishing campaign.”
“Some of your contact information is out of date. It must be verified in order to maintain full access to your LastPass account,” the email said.
In a blog post warning users about the phishing campaign, Malwarebytes describes the email as “an almost pixel-perfect copy of the real thing.”
‘Convincing Phishing Email’
When users click the link in the phishing email, they’re redirected to a website to provide their password and two-factor authentication code to verify their identity.
While the phishing email looks very similar to emails from LastPass, Malwarebytes said there were some signs indicating it’s a spoof — like the Thailand address in the “From” field and the Slovakian domain name the email links to.
According to Malwarebytes, the threat actors behind this campaign may have access to data from the LastPass breach in 2022 and could be struggling to crack some accounts. Thus, they’re trying to trick users into providing them with the personal details required to access their stolen password vaults.
LastPass said it had been working with Forta’s PhishLabs to takedown two domains linked to the phishing campaign before users started reporting the suspicious emails. One of the domains used in this phishing campaign — “LastPass[.]su” had been spotted and marked for monitoring just a day after it was registered.” LastPass has also been working to identify domains that could be used for phishing attacks.
Despite these efforts, the threat actors behind the campaign are unrelenting in their efforts to trick unsuspecting victims, registering new subdomains when the ones they’re using are spotted and taken down.
“While the speed of takedown is often outside the control of the targeted company and can vary based on the malicious domain’s host, LastPass is proud that we were able to work with PhishLabs to get quick and seamless confirmation of site disruptions less than 48 hours or less, thereby minimizing and containing the potential threat posed to our customers,” LastPass said in its blog post.
How to Avoid Falling for Phishing Emails
We recommend inspecting the sender’s address in emails meticulously and verifying the authenticity of an email before you respond or share any personal details. Read our guide to social engineering to learn more about how to spot phishing attacks and protect yourself from them.
LastPass has urged users to remain vigilant and has provided resources, including a detailed blog post by its Chief Secure Technology Officer Christofer Hoff, that sheds light on steps users can take to shield themselves from such threats.
LastPass has also directed users to report suspicious emails to [email protected] for swift action.
During our LastPass tests, we were impressed by this password manager. However, its recent security issues left us concerned. Check out our in-depth analysis of the best password managers to see a side-by-side comparison of different software and discover our top picks.
For more privacy insights, follow us on X (Twitter), Threads, and Mastodon!
