LastPass has issued a warning about a new phishing campaign targeting its users' master passwords.
The fraudulent emails claim to originate from LastPass, using a spoofed display name to deceive recipients.
According to LastPass, attackers exploit the fact that many email clients, especially on mobile devices, display only the sender's name, concealing the actual email address unless expanded.
The phishing emails alert users to supposed unauthorized access or changes to their account's master password. They prompt recipients to take urgent actions such as revoking devices, disconnecting, locking their vault, or reporting suspicious activities.
These messages include links to a counterfeit LastPass login page designed to capture users' master passwords, which are highly valuable to cybercriminals, especially those motivated by profit.
LastPass has provided indicators of compromise, which include URLs, IP addresses, sender email addresses, and email subject lines to help users identify the threats.
In January, LastPass had already cautioned users about a similar phishing campaign that used a backup theme to lure victims.
Recently, LastPass informed SecurityWeek that it has been collaborating with Forta Brand Protection to conduct takedown operations. They have also partnered with hosting providers to eliminate these malicious sites.
