Beware: Fake LastPass Emails Mimic Backup Alerts
▼ Summary
– LastPass is warning users about a new phishing campaign that sends fake maintenance notifications, falsely urging them to back up their vaults within 24 hours.
– The malicious emails contain links to phishing sites designed to hijack accounts or steal master passwords by creating a false sense of urgency.
– The campaign, which started around January 19, uses deceptive sender addresses and subject lines that mimic legitimate LastPass security communications.
– LastPass emphasizes it will never ask users for their master password and advises reporting such emails to its abuse address.
– This is part of a pattern where LastPass users are frequently targeted by phishing scams using various deceptive themes, such as fake breach alerts or inheritance claims.
A new and deceptive phishing campaign is impersonating the popular password manager LastPass, attempting to trick users with urgent emails about mandatory vault backups. These fraudulent messages create a false sense of urgency, claiming an infrastructure update requires immediate action to secure personal data. Security experts warn that clicking the provided link leads to a malicious site designed to harvest master passwords and compromise entire password vaults.
The malicious emails cleverly mimic legitimate LastPass communications, using subject lines that sound official and pressing. Observed subjects include “LastPass Infrastructure Update: Secure Your Vault Now” and “Protect Your Passwords: Backup Your Vault (24-Hour Window).” The messages are crafted to appear genuine, stating that while data is protected, creating a local backup ensures uninterrupted access during a supposed maintenance window. The text even includes reassuring language about safeguarding information from “unforeseen technical difficulties.”
LastPass has confirmed it is NOT asking customers to back up their vaults within a 24-hour period. The company’s Threat Intelligence team identified the campaign starting on January 19th, with emails originating from deceptive addresses like ‘support@lastpass[.]server8’. The link within the email, often a button labeled ‘Create Backup Now’, redirects users to a phishing domain such as ‘mail-lastpass[.]com’. This site is built to steal login credentials.
Attackers strategically launched this operation during a holiday weekend in the United States, likely hoping that security teams would be understaffed and response times would be slower. This timing is a common tactic to increase the success rate of such social engineering attacks.
The password management firm emphasizes it will never ask users for their master password. They urge anyone who receives a suspicious email to report it directly to ‘abuse@lastpass.com’. Users should always navigate directly to the LastPass website by typing the address into their browser, rather than clicking links from unsolicited messages.
This incident is part of an ongoing trend where LastPass users are frequently targeted. Phishing campaigns constantly evolve their lures; in recent months, attackers have used fake death claims to trigger a legacy process and fabricated data breach alerts to push a fraudulent desktop app download. Vigilance is the best defense against these sophisticated attempts to steal sensitive login information.
(Source: Bleeping Computer)
