LastPass is warning users of a new phishing campaign that aims to trick them into handing over their master password.
The fake emails purport to come from LastPass, leveraging a spoofed display name.
“The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it,” LastPass noted.
The phishing emails inform recipients of unauthorized access to their account or master password changes and urge victims to take immediate action, such as revoking devices, disconnecting and locking their vault, or reporting suspicious activity.
The messages contain links pointing to a fake LastPass login page designed to harvest users’ master passwords, which can be highly valuable to threat actors, particularly profit-driven cybercriminals.
The password manager has released indicators of compromise (IoCs), including URLs, IPs, sender email addresses, and email subject lines.
LastPass warned users in January about a backup-themed phishing campaign.
LastPass told SecurityWeek recently that it has been aided by Forta Brand Protection in conducting takedown operations, and has also worked directly with hosting providers to remove the malicious sites.
Related: Password Managers Vulnerable to Vault Compromise Under Malicious Server
Related: Analysis of 6 Billion Passwords Shows Stagnant User Behavior
Related: Password Managers Vulnerable to Data Theft via Clickjacking
