How does the new LastPass phishing campaign work?

Attackers impersonate LastPass support staff via fake email chains and link to fake websites to harvest vault details.

What is display-name spoofing in the LastPass scam?

Display-name spoofing tricks users by showing a fake sender name, hiding the actual malicious email address.

What should I do if I suspect a LastPass phishing email?

Report suspicious emails to LastPass at [email protected] and avoid clicking on suspicious links.

Home / Technology / Fake Support Emails Trick Users into Sharing Passwords

Fake Support Emails Trick Users into Sharing Passwords

6 Mar

•

Summary

Attackers impersonate LastPass support staff using display-name spoofing.
Fake emails link to malicious websites harvesting vault details.
New social engineering campaign emerged in early March.

Fake Support Emails Trick Users into Sharing Passwords

A sophisticated phishing campaign is currently targeting LastPass users, employing deceptive tactics to steal sensitive vault credentials. Launched in early March, this new social engineering effort aims to trick individuals into divulging their password manager's master password.

Attackers are impersonating LastPass support staff by forwarding fake email chains. They leverage display-name spoofing, a technique that hides the true sender's address in many email clients, making the scam appear legitimate. Users are prompted to take urgent action, such as disconnecting their vault, through links in these emails.

These links lead to counterfeit websites meticulously designed to harvest user credentials. Once compromised, attackers can access the victim's entire password vault. LastPass is actively working with partners to dismantle these fake sites, though new ones may continue to appear. Users are advised to report suspicious emails to [email protected]

Disclaimer: This story has been auto-aggregated and auto-summarised by a computer program. This story has not been edited or created by the Feedzop team.