LastPass would like to alert our customers of a current phishing campaign that began in mid-October targeting our users, which has been associated with crypto theft. These phishing emails are being spoofed to appear as if they are coming from the email address “alerts@lastpass[.]com” with the subject line “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).”
Tactics Associated with This Campaign
- The email claims someone within the recipient’s family has opened a request to access the intended victim’s vault as a legacy user by uploading a death certificate.
- The email goes on to include a statement that a live case has been opened and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority, all of which are false.
- The email then includes a link to cancel the request, which in fact directs the intended victim to the URL “https://lastpassrecovery[.]com”, which then asks for the victim to enter their master password in an attempt to phish credentials.
- The email notes the link is unique to the individual and that they should only access their account through that link in a clear attempt to direct the recipient to the phishing site.
- The email states that the intended victim should confirm the email was sent from the spoofed email address, “alerts@lastpass[.]com”.
- Finally, the email concludes with the statement “Your security is our top priority. Never share your master password with anyone - including us!”
Of note, the threat actor has also called recipients of this email, claiming they are representatives of LastPass and urging them to visit the phishing site and enter their master password, bring a more active social engineering element to this campaign.
