LastPass warns of scam using fake email chains spoofing account hacking 'to draw attention and generate urgency' in users

News
By published

Eavesdropping on a fake social engineering attack?

LastPass
(Image credit: Future)
  • LastPass warns of phishing campaign targeting credentials
  • Attackers trick victims with fake support conversations
  • Malicious links mimic LastPass login pages

Popular password manager LastPass is warning customers about an ongoing phishing campaign, aimed at obtaining their login credentials.

What makes this campaign unique is that victims are positioned as silent observers to an ongoing attack - being made to believe they’re in a unique position to stop the attack, but only if they act fast.

In a blog post outlining the campaign, LastPass noted the scam was dsigned to, "to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails."

LastPass infrastructure intact

In a “classic” phishing attack, the threat actors would impersonate LastPass, reach out to the targets, and claim their account needs “securing”. In the same email, they would offer a link where they can do that, but the link is malicious and relays the login credentials to the attackers.

In this new campaign, things are a little different. The victim is forwarded an email chain showing a conversation between LastPass customer support and alleged attackers. In the fake conversation, the attacker impersonates the victim and requests either 2FA removed, or a reset to the password, and the customer support complies by sharing a link.

For the trick to work, the victim needs to believe they have the advantage, and that they can forestall the attack by resetting the password via the provided link themselves. But the link leads to a malicious landing page designed to look like the LastPass login site.

In the warning, LastPass says that its infrastructure is intact and that the emails are not coming from the company’s email domain. Instead, the attackers are betting on victims not paying attention to the email address from which the messages are coming.

LastPass also said that the company will never ask its customers for their master password, and that they should never disclose it to anyone, anyway. The company is now working to have the malicious landing pages removed, as soon as possible. Victims who receive the phishing email are urged to reach out to LastPass.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.