The big picture: Law enforcement agencies confirm that phishing is currently the most prevalent form of cybercrime, and attacks are becoming increasingly sophisticated. Hackers are targeting privileged access to passwords and other sensitive data, and LastPass has emerged as a major target following its previous high-profile security breach.
LastPass recently disclosed an active phishing campaign targeting users of its online services. The campaign began on January 19, with fake messages sent from multiple email addresses and using varying subject lines. The body of the emails remains mostly consistent, instructing users to visit a website and perform a supposedly scheduled maintenance procedure.
LastPass emphasized that these emails are fraudulent and that the company is not requesting users to back up their online password vaults. The attackers are clearly attempting to create a sense of urgency around a theoretical security risk – a common tactic in phishing campaigns.
The "Create Backup Now" button in the emails directs users to a site hosted on Amazon AWS, which then redirects to a "mail-lastpass_dot_com" URL. The hackers appear to have timed their campaign to coincide with a holiday week in the US, allowing the operation to continue longer while fewer employees are available to detect and respond to the threat.
LastPass published a list of all malicious URLs, IP addresses, and email header data discovered by its Threat Intelligence, Mitigation, and Escalation (TIME) team while analyzing the campaign. In a recent update, the TIME team warned that the criminals behind the original campaign are now sending a new wave of phishing emails, using similar social engineering tactics.
The company appears to have successfully disrupted the first campaign's infrastructure. However, the second wave of emails involves additional domains and IP addresses, suggesting that the attackers are leveraging a larger pool of internet resources. They are likely running multiple campaigns simultaneously, targeting LastPass and potentially other companies.
"While this is always a best practice, we recommend you confirm any email claiming to be from LastPass are coming from legitimate LastPass email domains as this campaign is ongoing," the security firm noted.
The largest security challenges faced by LastPass stem from the 2022 data breach of its password manager service. Cybercriminals continue to exploit the stolen data, targeting sensitive accounts and stealing crypto tokens on a regular basis.
Given these ongoing threats, users may question whether LastPass still provides adequate security. There are alternative password managers with stronger operational security and a more reliable track record available.
Hackers are using fake maintenance emails to trick LastPass users
