LastPass would like to alert our customers to a current phishing campaign that began yesterday, December 11th. The phishing emails are coming from the email address “katherine.mhun@ac-creteil[.]fr >” with the subject line “LastPass: Required action needed regarding your account.” Technical analysis indicates this campaign is almost certainly from the same threat actors that fraudulently misused our logo and brand earlier this month. In this most recent attempt, in a first for these threat actors, they are directing victims to the phishing site via a QR code. When scanned, the QR code will take victims to a phishing site hosted at “identity-lastpass[.]su”. We have included an image of the email below for reference. Please remember that no one at LastPass will ever ask for your master password. We are working to have this domain taken down as soon as possible. Please take the appropriate precautions and as always, if you have any question if an email is legitimate, please submit it to abuse@lastpass.com.
Below are further technical details on this campaign to assist in threat hunting.
Actual phishing site:
https://identity-lastpass[.]su
IP: 85.239.34[.]121
Header information:
From: LastPass <katherine.mhun@ac-creteil.fr>
Subject: LastPass: Required action needed regarding your account
Below are further technical details on this campaign to assist in threat hunting.
Actual phishing site:
https://identity-lastpass[.]su
IP: 85.239.34[.]121
Header information:
From: LastPass <katherine.mhun@ac-creteil.fr>
Subject: LastPass: Required action needed regarding your account