Watch out, this LastPass email with "Important information about your account" is a phish

[RV_]

IN short the LastPass breach netted the criminals your emails and other info and access to the vaults. The new threat is they cannot crack the vaults for all your passwords easily unless they can fool you. Since they have your email address if you were a customer during the breach, it is a testament that even though they have your vaults they cannot access those. 

But they have your password thus the phishing emails out now.into giving them your code.

Excerpt:

"The consequences of last year's LastPass breach continue to be felt, with the latest insult to users coming in the form of a highly convincing phishing email.

Although the "unauthorized party" that compromised LastPass users' data was able to steal password vaults, it's likely that they are having a hard time cracking them open. LastPass's own assessment was that "it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices."

Brute force guessing techniques may be successful for some weak passwords, but it's an approach that quickly runs out of steam. The frequency with which passwords are uncovered diminishes exponentially, and the cost per password increases in the same way. So while some passwords will be so strong they are effectively uncrackable, many weaker ones are likely to be safe simply because they're too costly to uncover.

However, there is another, far easier way for criminals to get at LastPass users' passwords, without cracking them: They can simply ask.

They can do this becasue alongside the password vaults that were stolen, criminals also made off with customers' email addresses, as well as "basic customer account information", company names, end-user names, billing addresses, telephone numbers, and IP addresses.

Armed with this data, attackers can send targeted phishing emails that attempt to steal the passwords needed to unlock the stolen password vaults.

The LastPass phishing email we received was convincing, familiar, and executed with high production values. However, as convincing as it was, the email could not avoid the two red flags that allow anyone to spot almost any scam: A demand for personal information and an attempt to hurry the victim.

The email lure tells users to verify their personal data or face losing deactivation of "certain features" on 26 September.

The full email reads:

Verification of your personal data

Warning: Some of your contact information is out of date, it must be verified in order to maintain full access to your LastPass account.

LastPass is based on two fundamentaI principIes: the security and confidentiaIity of your personaI data. For us, data security is paramount. LastPass takes payment security and the trust our customers pIace in us very seriousIy. When you use LastPass , we make every effort to protect your personaI information and that reIated to your payments.

To avoid the deactivation of certain features of your LastPass account, log in before September 26, 2023 to confirm your account information.

Although we spotted quickly that the "From" address of the email was registered in Thailand and didn't appear to be related to LastPass, we suspect many won't. Unfortunately, the old advice to watch out for strange addresses, complicated URLs, and to not click on links is being undermined by a vast army of legitimate companies using mailing systems that do all three.

The email's 'Confirm my information' link uses a complicated URL format that likely contains a unique ID, which redirects to the phishing site itself. Like the email, the site is an almost pixel-perfect copy of the real thing. (The only giveaways in the design were 'Create an account' and 'Forgot password' buttons that don't do anything.)

Again, while some users might be put off by the Slovakian domain name, it looks neat enough and somewhat official.

Filling in the username and password causes the page to reload, this time with a request for a two-factor authentication (2FA) code—allowing us to remind you once again that while code-based 2FA is a solid defence against all kinds of password attacks, it is no defence against phishing. (For that you need 2FA based on FIDO2, such as hardware keys.)

Having fed the criminals some useless information, we checked the site's Slovakian domain name and discovered that it had been created just a few days before on September 2, 2023, via the Russian registrar webnames.ru—a veritable bunting of fluttering red flags.

Thankfully, while this phish was convincing and difficult to spot, our standard phishing advice still applies, and would have kept you safe.

Source with more related links:

https://www.malwarebytes.com/blog/news/2023/09/nasty-lastpass-phish?utm_source=blueshift&utm_medium=email&utm_campaign=b2c_pro_oth_20230918_septemberweeklynewsletter_v3_169473576028&utm_content=Last_Pass

[Ray,IN]

Thanks for the information and warning Derek.  I would never see that because I use Microsoft Outlook and have the settings so if the from address is not in my address book it goes directly to spam. Then I click another button and the actual sender is blocked from my Outlook email account.