Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO

INFORMATION TECHNOLOGY SECURITY

Phishing Campaign involving LastPass

Phishing campaign involving LastPass

With safety in mind, McMaster IT Security Services is notifying our community about a recent cyber security phishing campaign related to a popular password management service called LastPass: https://www.lastpass.com/. LastPass is a popular password management service that creates and stores unique, secure passwords for various user accounts on websites across the Internet. LastPass is not a McMaster University service.

What happened?

A sophisticated phishing campaign targeting LastPass users has been identified, involving deceptive SMS messages, phone calls, and phishing websites. The latest URLs used by the threat actors are “tickets-lastpass[.]com” and previously “help-lastpass[.]com”.

Key Details:

  • Communication Tactics: Victims receive phone calls or texts claiming their LastPass account was accessed from a new device. Calls may instruct to press numbers to take action, leading to more phishing attempts.
  • Phishing Sites: The campaign uses fake sites like “tickets-lastpass[.]com” to mimic legitimate LastPass login pages to steal credentials.
  • Method of Attack: Calls from an 888 number followed by a second call from a spoofed number. Victims are directed to phishing sites through emails containing shortened URLs.

Immediate Actions to Take:

  • Verify Communication: Hang up on unsolicited calls claiming to be from LastPass, especially those instructing action regarding account security.
  • Report Suspicious Activity: Forward suspicious emails to abuse@lastpass.com, and send screenshots of phishing texts to the same address.
  • Do Not Share Personal Information: Remember, LastPass will never ask for your master password.

Further Guidance:

  • Stay vigilant for emails with the subject line “We’re here for you” from LastPass Support showing an incomplete email address (e.g., support@lastpass without “.com”).
  • Visit LastPass’s security advice pages for tips on protecting yourself from social engineering attacks.
  • Report suspicious Lastpass emails to is-spam@mcmaster.ca and abuse@lastpass.com

For more information:

Access the LastPass Blog

 

 

 Phish Bowl