Password managers make great targets for attackers because they can hold many of the keys to your kingdom. Now, LastPass has warned customers about phishing emails claiming that action is required ahead of scheduled maintenance and told them not to fall for the scam.
According to LastPass, the latest phishing campaign began around January 19 with emails being sent from several addresses with multiple subject lines. All of these are about LastPass maintenance, and they all urge customers to back up their vaults within 24 hours.
“Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours,” the company said in a Monday security advisory.
“This is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails,” the alert continued. “Please remember that no one at LastPass will ever ask for your master password.”
LastPass vaults contain customers’ most sensitive information – usernames, passwords, credit card details, and secure notes – protected by a single master password. This makes LastPass a constant target for criminals who can use these details for all sorts of financial and identity fraud.
Just two months ago, the password manager sounded the alarm on another phishing campaign asking users to confirm that they aren’t dead.
The emails were sent over the Martin Luther King Jr. holiday weekend in the US, and this timing reflects another trick that fraudsters use. Because many people have the day off work, there are likely fewer employees to report the scam, which usually helps postpone detection of the phishing campaign.
A screenshot of a January 20 phishing email includes a link purporting to allow customers to “create backup now.” But instead of backing up their LastPass vault, it redirects victims, first to: group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf
And then: mail-lastpass[.]com.
Instead of helping customers back up their vaults, however, clicking on the link redirects victims to a phishing site designed to trick them into handing over that master password, potentially exposing the credentials stored in their LastPass vault.
“Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible,” LastPass said in its online advisory.
LastPass did not immediately respond to The Register’s inquiries, including how many customers received phishing emails and fell victim to the scam. We will update this story when we receive a response.
The advisory also includes a list of malicious URLs and associated IP addresses, along with email addresses sending the phishes and subject lines – so check those out to help with threat hunting efforts. ®