LastPass Warns of New Phishing Campaign

LastPass is warning users of a new phishing campaign that aims to trick them into handing over their master password.

The fake emails purport to come from LastPass, leveraging a spoofed display name.

“The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it,” LastPass noted.

The phishing emails inform recipients of unauthorized access to their account or master password changes and urge victims to take immediate action, such as revoking devices, disconnecting and locking their vault, or reporting suspicious activity.

The messages contain links pointing to a fake LastPass login page designed to harvest users’ master passwords, which can be highly valuable to threat actors, particularly profit-driven cybercriminals.

The password manager has released indicators of compromise (IoCs), including URLs, IPs, sender email addresses, and email subject lines.

LastPass warned users in January about a ...