A phishing campaign is targeting LastPass users with phony notifications informing users that someone has notified the company of the user’s death and is trying to gain access to their account. The emails have the subject line, “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).”
LastPass describes the following attack flow:
- “The email claims someone within the recipient’s family has opened a request to access the intended victim’s vault as a legacy user by uploading a death certificate.
- The email goes on to include a statement that a live case has been opened and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority, all of which are false.
- The email then includes a link to cancel the request, which in fact directs the intended victim to the URL ‘https://lastpassrecovery[.]com,’ which then asks for the victim to enter their master password in an attempt to phish credentials.”
Notably, the attackers are also calling recipients of the emails and posing as LastPass representatives, adding another layer of legitimacy to the campaign. Additionally, the attackers are targeting users’ passkeys as well as their passwords.
“[S]everal of the phishing sites are clearly intended to target passkeys, reflecting both the increased interest on the part of cybercriminals in passkeys and the increased adoption on the part of consumers,” LastPass says. “For example, there are numerous variations of “mypasskey[.]info” linked to the malicious IPs.”
LastPass stresses that it will never ask for your master password, and users should maintain a healthy sense of suspicion when they receive unsolicited emails.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
LastPass has the story.
