How to avoid the latest LastPass Phishing Attack

Sean Cassidy discovered recently that the popular password manager LastPass is vulnerable to a  phishing attack that takes advantage of the way messages are displayed to users of the service.

The method that he describes on his blog works in Google Chrome, and to a degree in Firefox as well.

The main difference between the two browsers is that fake messages displayed to Chrome users on attack sites look identical to the message the LastPass extension would display to them, while that's not the case if Firefox is being used.

So how does the phishing attack work?

LastPass displays messages to users in the browser's viewport to which websites that are open in the browser have access to as well.

A malicious site would draw the LastPass notification after checking that the password manager is being used. According to Cassidy, they could even log out the user before they display the message to make it look more real.

The message would ask users to enter their username and password, and if configured, two-factor authentication code.

Obviously, the information can then be used by the attacker to gain access to a user's vault allowing them to access all account information, notes and other sensitive data saved in it.

Have you been hacked?

You can verify account access on the Account History page. There you find listed all recent log ins.

Do the following to get there:

1. Click on the LastPass Icon.
2. Select My LastPass Vault.
3. In the left-menu that opens, select Tools > View History.

Each event is listed with a date, IP address, DNS and method used for the access.

How to prevent getting hacked

LastPass is working on a fix according to Sean Cassidy who disclosed the issue to the company last year.

The attack can be detected easily however.

1. If you are using Firefox and get the log-in window, try to switch to another tab. If that works, it is a fake login prompt.
2. If you are using Google Chrome, make sure the page where you are entering the credentials starts with chrome-extension://

Generally speaking, you may want to sign in on the LastPass website directly, and not via the extension. Once you are signed in on the site, the login gets picked up by the extension so that you can use its functionality as well.

Now You: How do you sign in to LastPass or other online password managers?