LastPass has alerted users regarding the delivery of fraudulent security alerts aimed at exfiltrating master passwords as part of a phishing campaign that has been underway since Mar. 1, Security Affairs reports.Threat actors leveraged different email addresses to send unauthorized access or master password modification emails that include seemingly forwarded messages from LastPass' customer support team in a bid to establish urgency and deceive targets into visiting a bogus SSO page, where their credentials are stolen, according to LastPass."The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it," said the alert.While efforts to shut down the phishing sites leveraged in the scheme are already underway, LastPass has called on users to be wary of emails purporting to be from the firm that ask for their master passwords. Immediate reporting of dubious LastPass-branded emails has also been advised.
