A widespread phishing campaign has been detected that is targeting LastPass employees and customers. The campaign was first detected in mid-September, and a second wave of phishing emails was sent at the end of the month. The aim of the campaign is to obtain LastPass credentials. If the credentials are obtained, the attackers will have access to users’ password vaults. LastPass offers users multifactor authentication; however, this phishing campaign is also able to steal multi-factor authentication codes submitted by the portal.
The phishing emails have a display name of LastPass; however, the email address in one of the detected emails was [email protected][.]th, which is clearly unrelated to LastPass. The emails warn that the contact information in the user’s account is out of date. LastPass users are told that they must verify their contact information otherwise they will lose full access to their LastPass account. The emails advise the recipient that “LastPass is based on two fundamental principles: the security and confidentiality of personal data,” and that data security is paramount for LastPass, hence the need to ensure that contact information is kept up to date.
Users are warned that to avoid the deactivation of certain features of their LastPass account, they must log in to confirm their account information. A button is provided to allow users to do this. If that option is clicked, the user will be directed to the domain customer-lastpass.su, where they will be presented with a very realistic-looking login prompt. If credentials are entered, they will be captured. LastPass has issued a warning about the campaign and said 87 of its employees were targeted, and multiple cybersecurity firms have issued warnings to LastPass users. LastPass has identified several domains being used for this phishing scam.
There are red flags that identify the emails as a scam. The email addresses are not related to LastPass, the domain to which users are directed is not an official LastPass domain (exercise maximum caution with hyphenated domains), there is urgency, a threat if no action is taken, and the emails request sensitive information (credentials).
It is important to report phishing emails to the company being impersonated and the appropriate authorities. Reporting is important as it allows campaigns to be identified and shut down. If you receive one of these LastPass phishing emails, you should report it to [email protected]. In the US, phishing attempts should be reported to the Federal Trade Commission at ReportFraud.ftc.gov and the email should be forwarded to the Anti-Phishing Working Group at [email protected]. In the United Kingdom, forward the email to [email protected]