Club Benefits
Keeping track of dozens of passwords is a hassle, which is why more and more people are relying on one of the best password managers to do the heavy lifting instead. However, your digital vault is only as secure as your ability to spot a scam. That’s the hard lesson LastPass users are facing after the popular password manager was hit with a convincing phishing scam after a recent holiday weekend in the U.S.
As reported by BleepingComputer, LastPass has issued a warning about a new phishing campaign in which cybercriminals are impersonating the company to encourage users to create a local backup of their vaults and all of the passwords stored inside them.
What’s so dangerous about backing up your passwords? Well, clicking on a button within the email takes unsuspecting users to a phishing site designed to steal their logins and potentially even the master passwords to their vaults.
Here’s everything you need to know about this new phishing scam, along with some tips and tricks to help keep your accounts and passwords safe, even if you don’t use a password manager.
From backup to account takeover
This new phishing campaign starts with a malicious email in your inbox that looks and reads like it comes from LastPass itself. However, that couldn’t be further from the truth as the hackers behind this campaign have gone to great lengths to impersonate the popular password manager.
In a blog post, LastPass explains that the campaign began on January 19 and that the phishing emails came from senders with addresses like “support@lastpass[.]server8” and “support@sr22vegas[.]com”. Besides these less-than-legitimate-looking email addresses, the following subject lines accompanied these malicious messages:
- LastPass Infrastructure Update: Secure Your Vault Now
- Your Data, Your Protection: Create a Backup Before Maintenance
- Don't Miss Out: Backup Your Vault Before Maintenance
- Important: LastPass Maintenance & Your Vault Security
- Protect Your Passwords: Backup Your Vault (24-Hour Window)
The scam emails themselves create a sense of urgency by explaining that, due to scheduled maintenance, a backup is recommended. If you’ve used a password manager before, you know how important it is to have your passwords backed up just in case you’re unable to access them, which helps make this campaign appear more legitimate. However, as the company explains in its blog post: “Please be advised that LastPass is NOT asking customers to back up their vaults in the next 24 hours.”
Still, a late-night email sent after a long holiday weekend is enough to convince some people to take action, and that’s just what the hackers who launched this attack are hoping. Towards the bottom of these emails, there’s a button that reads “Create Backup Now.”
Instead of actually creating a local backup of a LastPass user’s passwords, clicking it takes them to a hacker-created phishing site where their password manager credentials are waiting to be harvested. Fortunately, the phishing site — mail-lastpass[.]com — is now offline according to BleepingComputer.
How to keep your passwords and accounts safe
Although the very reason one decides to use a password manager in the first place is to keep their logins safe, you still need to be careful when using passwords. This is the reason many companies are now offering users the option to log in using a passkey instead.
Unlike with passwords, passkeys can’t be guessed or cracked, and they’re tied back to a device you already own, like your phone. That way, a hacker would need both the public and private keys for your password and your phone to gain access to your account. However, while the private key is stored securely on your device, the service you’re using your passkey with holds the public key. The two will never be together except when you log in using a trusted device, which makes them almost impossible to crack.
If you’re worried about putting all of your passwords in one basket with a password manager, I’d recommend using multiple services or even not using a password manager to store your most critical passwords, like the ones for your banking or financial accounts. Another important thing to remember is to keep your master password safe when using one. Don’t write it down on a Post-it note or save it in a document on your computer. Instead, this is the one password you’ll still need to have memorized to unlock access to the rest of your credentials.
In the campaign detailed above, keeping a level head and not letting your emotions get the best of you is the easiest way to stay safe. When you see an urgent warning in your inbox, it’s easy to let your guard down. However, instead of doing that, you should stop, take a moment and ask yourself if this seems real.
Does this particular company often communicate with you this way? From there, you need to inspect email addresses, URLs and everything else with a close eye. One good trick is to hover over links first before clicking on them and to be really careful, copy the link and then paste it into a document or somewhere else so that you can thoroughly inspect it before heading to that site.
Although the best antivirus software can help protect you against malware and other viruses, in this case, the best identity theft protection is a better investment. With one of these services, you can get your identity back if it’s stolen as well as recover any funds lost to fraud as a result of a hacker gaining access to your credentials and the online accounts they’re associated with.
As one of the biggest players in the password manager business, LastPass has been targeted before and this likely won’t be the last time. As such, it’s up to you to practice good cyber hygiene and always think before you click.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
