Password management service LastPass has issued a warning about a new phishing campaign targeting its users with fake alerts claiming unauthorized access to their accounts.
According to the company, attackers are sending emails that appear to come from a LastPass representative. The messages spoof the display name to look like they were sent by “LastPass Support.” The subject lines are designed to resemble forwarded internal conversations between attackers and the company’s customer support team. These fake conversations usually discuss a supposed request to change the primary email address on the user’s account.
The phishing emails attempt to create urgency and pressure the recipient into acting quickly. They include links labeled “report suspicious activity,” “disconnect and lock vault,” and “revoke device.” When users click these links, they are taken to a fake LastPass login page hosted on the domain verify-lastpass.com.
The fraudulent website looks like a legitimate LastPass login page but is designed to capture user credentials. Once victims enter their login details, attackers can steal their account information.
LastPass said the phishing operation also uses several slightly modified domain names that redirect victims to the same fake login page. In addition, attackers are using multiple sender addresses and varying subject lines to make the emails appear more credible and harder to track.
Most of the email addresses used in the campaign have no real connection to the LastPass brand. Many are created using compromised websites or abandoned domains. However, the attackers disguise them by setting the display name to “LastPass Support.”
The company emphasized that its systems and infrastructure have not been compromised. LastPass also reminded users that its support staff will never ask for a master password and that customers should never share it with anyone.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
LastPass says it is working with third-party partners to remove the fake phishing websites. Users who receive suspicious emails related to LastPass are encouraged to report them to abuse@lastpass.com.
