- LastPass warns of phishing campaign targeting credentials
- Attackers trick victims with fake support conversations
- Malicious links imitate LastPass login pages
Popular password manager LastPass is warning customers about an ongoing phishing campaign aimed at obtaining their login credentials.
What makes this campaign unique is that victims are positioned as silent observers of an ongoing attack, making them believe that they are uniquely positioned to stop the attack, but only if they act quickly.
In a blog post describing the campaign, LastPass noted that the scam was designed to “gain attention and create urgency in the recipient’s mind, a common tactic for social engineering and phishing emails.”
LastPass infrastructure intact
In a “classic” phishing attack, threat actors would impersonate LastPass, approach targets, and claim that their account needs “security.” In the same email, they would offer a link where they can do this, but the link is malicious and transmits the login credentials to the attackers.
In this new campaign, things are a little different. The victim is sent an email chain showing a conversation between LastPass customer service and the alleged attackers. In the fake conversation, the attacker impersonates the victim and requests a 2FA removal or a password reset, and customer service complies by sharing a link.
For the hack to work, the victim must believe that they have the upper hand and can prevent the attack by resetting the password via the link provided. But the link leads to a malicious landing page designed to look like the LastPass login site.
In the warning, LastPass says that its infrastructure is intact and that the emails are not coming from the company’s email domain. Instead, attackers bet that victims do not pay attention to the email address where the messages come from.
LastPass also said that the company will never ask its customers for their master password and that they should never reveal it to anyone anyway. The company is now working to remove the malicious landing pages as soon as possible. Victims who receive the phishing email are urged to contact LastPass.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
