LastPass Phishing E-mails

Written By JTI

Summary:

We’ve noticed an uptick in phishing e-mails targeting LastPass users with dozens reported in the last 24 hours.

We think there’s a pretty good chance that these e-mails are being targeted at lists of e-mail addresses obtained from last year’s LastPass breach.

These recent e-mails look realistic but contain several red flags indicating a potential threat.  Unfortunately, it’s possible that messages like these will make it past spam filters through the use of legitimate domains and e-mail infrastructure belonging to legitimate victim organizations that have been recently compromised. 

Please stay vigilant and ‘keep your antennas up’ for potential phishing e-mails that appear to be sent from LastPass. 

See screenshot of one of these messages below:

Red flags we noticed:

1.       Invalid sender e-mail address:  Even though the display name of the sender says ‘LastPass’, the actual sender e-mail address doesn’t belong to LastPass.

2.       Irrelevant references to payments: The message claims to request verification of personal data for maintaining access to your account and re-iterates this request with the call-to-action-button titled ‘Confirm my information’ at the bottom.  However, it makes several irrelevant references to ‘payment security’.  Statements like this are, especially in cases where the point of the communication doesn’t have anything to do with payments, are often intended to scare the reader and imply a higher level of risk for non-compliance. 

3.       Urgency: A sense of urgency is created by demanding action before a deadline date. 

4.       Malicious link: As a rule, you should avoid taking action on a link in an e-mail that’s requesting information. If you believe that you have to click on the link in the e-mail and don’t have any way to contact the sender for validation, always hover your mouse cursor over the button or link to expose the full URL for the link.  When hovering the mouse over the ‘Confirm my information’ button in this case, the malicious link is exposed:

5.
Malicious landing page, foreign domain:  if we attempt to follow the malicious link (WHICH YOU SHOULD NOT!), we get re-directed to a page at a Slovakian domain name which is designed to look exactly like LastPass’ real login page and capture the victim’s username and password. If you enter credentials, then you’re presented with another well-crafted page designed to capture your two-factor authentication (2FA) code:

Here are some reminders and tips to help you recognize and avoid phishing attacks:

Common things you may see in phishing e-mails:

  • Urgency

  • Spelling and grammar mistakes

  • Generic greetings like ‘Dear sir or madam’

  • Sender e-mail address doesn’t match the display name

  • Suspicious links, buttons, or attachments

Tips to avoid impact from phishing e-mails:

  • Never click on links or open attachments in suspicious e-mails.

  • If a suspicious message comes from a vendor like LastPass, contact them via their official website or through a known point-of-contact to validate legitimacy.

  • If a suspicious message comes from someone you know, contact them via phone, SMS, or other means to confirm legitimacy.

  • Report the message to your SOC, IT department, or e-mail vendor using built-in reporting buttons (i.e. buttons that are built-in to Outlook or Gmail).

  • Never forward it.

  • Delete it.

Tips for IT professionals:

  • Implement DNS filtering to block known-malicious websites that may be used to conduct phishing attacks or deliver or control malware

  • Use password managers (and encourage your users to do the same).  They can help in these types of situations because they generally will only auto-fill credentials into known URLs and won’t provide credentials to a website with an unknown URL.

  • Use strong credentials for MFA like those based on FIDO2.

As always, feel free to contact us if you have any specific questions or concerns.

Stay safe!

JTI
Next

Free SIEM for Microsoft 365?