LastPass Phishing Email

IF YOU USE LASTPASS, PLEASE READ THIS EMAIL!

Even if you don’t use LastPass, there are valuable lessons here in this article on online security that might potentially save you untold grief in the future. 

Over the weekend I received an email that could have cost me the keys to the kingdom. By that, I mean giving a hacker every password I have! And I have literally hundreds of different passwords.

Here’s the email I received:

On the surface this looks pretty legit!  It says it’s coming from Lastpass. But when I click on the name “Lastpass” I see that the underlying email address is noreply@security-lastpass.com.

This might fool a lot of people. If you don’t look closely enough you might just see the tail end of the email which is ‘lastpass.com’. But the part in front of that is important too. The real domain here is ‘security-lastpass.com‘.

The email is asking me to confirm some information and it introduces an element of fear by telling me that certain features of my LastPass account will be deactivated unless I log in before June 16, 2022.

This is actually a smart move on the part of the scammers. They are creating a sense of panic in the person they want to scam and when you are in that state, your higher level cerebral cortex tends to shut down and your lower level reptilian brain takes over and intiates a ‘flight or fight’ response. In essence, it inhibits your ability to think. And this of course is what the scammer wants! He wants you to CLICK THAT RED BUTTON, which in this case says “Confirm my information’.

Right clicking on the button allowed me to copy the link, and I pasted that in a browse to have a look at it.

Here’s the link: https://customer-lastpass.com/verify/cgdnd3Mtd2l6EAMYADIFCAAQgAQyBQgAEIAEMgYIABAeEBYyBggAEB4QFjIGCAAQHhAWMgYIABAeEBYyBggAEB4QFjIGCAAQHhAWMgYIABAeEBYyBggAEB4QFjoECAAQR0oECEEYAEoECEYYAFCkAVjjGWCwIWgAcAJ4AIABmgOIAdEPkgEHMi01LjEuMZgBAKABAcgBCMABAQ

You can see that it is taking me to the domain ‘customer-lastpass.com.’  This is NOT Lastpass’s domain!

There are a few other clues in this email. In the “Tips for getting started” section (which the hacker includes to add a measure of credibility to his email), there are three sections each with a link. One is to ‘Install browser extension’. The second is “How to add a password” and the third is “Learn about autofill”.  The hacker, though, failed to actually provide any real links i.e. if you click on the blue link text it doesn’t go anywhere! So this is another clue that this email is not legit.

The link, by the way, takes you to a login screen that looks very much like Lastpass’s login screen.

If you enter your credentials, you would be giving the hacker access to your LastPass account and EVERY PASSWORD YOU HAVE STORED IN LASTPASS!  This is literally the keys to the kingdom!

THE NUMBER ONE RULE FOR EMAIL ONLINE SECURITY

Let’s call this the number one rule for online security:
IF YOU GET AN EMAIL THAT ASKS YOU TO CLICK ON A LINK AND WHERE YOU GO TO ASKS YOU TO ENTER YOUR LOGIN CREDENTIALS, DON’T DO IT!

Instead, if you actually think it’s legit, go to the website yourself by opening your browser and use a bookmark or search for the site.

THE NUMBER TWO RULE FOR ONLINE SECURITY

USE TWO FACTOR AUTHENTICATION wherever possible.

That way, even if your password is compromised, the two factor authentication should save you.

If you don’t know what two factor authentication is, take the time to learn.  Google it. You’ll find lots of articles and videos that will show you how to set it up.

THE NUMBER THREE RULE FOR ONLINE SECURITY

Use a good password manager.

LastPass is an excellent password manager. There are other good ones as well. Pick one and use it. Yes, there is a bit of a learning curve. Take the time to do it! In the end, you will be more efficient because you won’t be entering user credentials manually, and you will be far more secure because you won’t be reusing passwords and you will use long passwords (35 characters or more) with upper and lower case and numbers and symbols.

THE WILD, WILD WEST

Phishing scams and the websites they take you to are getting more sophisticated all the time. Often they target organizations and know the names of key people such as the president of the organization or the treasurer. They concoct convincing stories pretending to be key people in your organization and usually end up asking for money to be sent from one person to another (often in the form of gift cards) because of some emergency situation. You might be surprised to hear how many people are taken in by these scams. Again, there are two key reasons:
1. The scammers appear to be legit.
2. They create a sense of urgency and fear which overrides the victim’s ability to think clearly in the perceived limited amount of time they have

The internet is truly the wild, wild west. You need to be appropriately ARMED and wary!  You have to know what you are doing. As we discussed above, you need to understand how to use a good password manager and you need to know enough not to click on malicious links or enter information on the websites these links take you to.

Be careful with downloaded files. These can contain viruses or other computer malware. When in doubt check downloaded files with an online virus checker such as Virus Total.

It also helps to know how to look at a website address (called a URL).

Ignorance of these things won’t get you killed but you do run the risk of significant financial loss or even loss of identity. A hacker who has access to your accounts could do all kinds of malicious things while pretending to be you!

Take the time to learn how to protect yourself!