An ongoing phishing campaign is targeting users of popular password managers LastPass and Bitwarden. The scam involves fake emails that claim the companies have been hacked, creating a false sense of urgency and prompting recipients to take action. These well-crafted messages, which appear to come from legitimate-looking blog domains, trick users into downloading what’s advertised as a new, more secure desktop version of the password manager. However, the downloaded file is a malicious program that gives attackers remote control over the user’s computer.
The malicious binary installs a program called Syncro, a remote monitoring and management tool commonly used by IT service providers. The attackers then use this program to deploy additional remote access software called ScreenConnect. This setup allows the threat actors to gain full control over the compromised device. LastPass has officially confirmed that it has not suffered a security incident and that these emails are simply a social engineering tactic designed to deceive users. The company noted that the campaign likely began over a holiday weekend to take advantage of reduced staffing and delay detection.
The fake security alerts are particularly convincing, claiming that “outdated .exe installations” of the password manager have weaknesses that could allow unauthorized access to cached vault information. The messages urge recipients to install a new, more secure client app to protect their data. LastPass has warned users that the phishing emails are coming from specific domains, such as lastpasspulse.blog and lastpasjournal.blog, and that they should be immediately deleted.
Bitwarden users are also being targeted by this campaign with emails that share the same tone and misleading claims. These messages, which come from domains like bitwardenbroadcast.blog, use the same lure to convince users to download the fake desktop application. The goal is to make victims believe a security incident has occurred and that they must take immediate steps to secure their data by installing the malicious software.
Thankfully, some measures are already in place to combat this campaign. Cloudflare, a major web security company, is actively blocking access to the fraudulent landing pages linked in these phishing emails and flagging them as phishing attempts. This action helps to protect users who might accidentally click on the malicious links, preventing them from downloading the harmful software and having their devices compromised.
Reference:
