LastPass issues ‘Are You Dead?’ mater password hacking threat warning.
SOPA Images/LightRocket via Getty Images
While your email account password is a primary target for hackers, as Gmail users will be only too aware, with certain email attacks surging as a result, there’s only one password that can truly claim to hold the keys to your online kingdom. Yes, we are talking about your password manager master password. No wonder, then, that hackers will try anything to relieve you of it. LastPass, as one of the most popular password managers, is no stranger to these attempts. I’ve already reported how, oh the irony, an email claiming that LastPass accounts had been hacked was being used in one such phishing campaign. Now, LastPass itself has issued a warning to all users as it has identified an ongoing attack that exploits the password manager inheritance process to allow family members to access legacy user vaults. Here’s what you need to know about the ‘Are You Dead?’ LastPass master password threat.
ForbesPayPal Users Warned ‘Do Not Pay, Do Not Phone’ As Attackers StrikeBy Davey WinderThe ‘Are You Dead?’ LastPass Master Password Threat Explained
As phishing lures go, asking a potential victim of a password hacking attack if they are dead would seem, at least on the surface, to be rather more ridiculous than most. However, the devil is always in the details. First, there’s the fact that the email itself appears for all intents and purposes to come from a LastPass alerts email address. Then, there’s the wording, which is cleverly constructed to grab your attention, perhaps because it is so bizarre. The subject line of “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)” instills the necessary urgency, albeit the block capitals used should be a red flag, as no genuine organization would likely adopt such formatting. Then, the message body itself begins with: “A death certificate was uploaded by a family member to regain access to the LastPass account XXXXXXXXXXXXX.”
“The email goes on to include a statement that a live case has been opened and includes fabricated information regarding a supposed agent assigned to the case,” LastPass warned users, “including an agent ID number, the date the case opened, and the case priority, all of which are false.”
ForbesAct Now — Microsoft Issues Emergency Windows Update As Attacks BeginBy Davey Winder
There is, as there always is, a link to be clicked. In this case, it directs the potential victim to what purports to be a cancellation request, but is actually intended to hack credentials by asking for the LastPass master password. The attackers even remind the victim never to share their master password with anyone as security is important. Yet, as LastPass has confirmed, “no one at LastPass will ever ask for your master password.”
LastPass has advised users to forward any emails to forward the email abuse@lastpass.com and warned that it is also aware of the attackers using telephone calls, and details of the latter can be sent in an email to abuse@lastpass.com.