好的,我现在需要帮用户总结这篇文章的内容。用户的要求是用中文,控制在100字以内,不需要特定的开头,直接描述文章内容。 首先,我通读了整篇文章。文章主要讲的是LastPass警告用户注意一个新的钓鱼活动。攻击者发送伪造的安全警报邮件,声称用户的账户未经授权访问或密码被更改,目的是诱骗用户提供主密码。 接下来,我需要提取关键信息:LastPass警告、钓鱼邮件、伪造警报、获取主密码、显示名称欺骗、隐藏真实发件人、诱导点击链接到假SSO页面、LastPass不会索要主密码、提醒用户保持警惕并报告可疑邮件。 然后,我要把这些信息浓缩到100字以内。确保涵盖主要点:警告内容、攻击手段、诱骗方式、后果以及建议措施。 最后,组织语言,确保流畅自然,并且符合用户的要求。 </think> LastPass警告用户注意新的钓鱼活动,攻击者通过伪造安全警报邮件,声称未经授权访问或密码更改,诱骗用户提供主密码。这些邮件使用显示名称欺骗技术隐藏真实发件人地址,并诱导用户点击链接至假SSO页面以窃取凭证。LastPass提醒用户其不会索要主密码,并建议保持警惕并报告可疑邮件。 2026-3-4 15:7:10 Author: securityaffairs.com(查看原文) 阅读量:4 收藏
LastPass warns of spoofed alerts aimed at stealing master passwords
LastPass warns of a phishing campaign using fake security alerts about unauthorized access or password changes to steal users’ master passwords.
LastPass has warned users about a new phishing campaign using fake security alerts that claim unauthorized access or master password changes. The emails, which spoof LastPass’s display name, attempt to trick recipients into revealing their master password and compromising their accounts.
LastPass TIME team has alerted customers about an active phishing campaign that began around March 1, 2026. The emails, sent from multiple addresses with varying subject lines, are designed to look like forwarded internal messages about unauthorized account access in order to deceive recipients.
LastPass warned that attackers are forwarding fake email threads to make it seem someone is trying to export a vault, recover an account, or register a new device.
Using display name spoofing, they impersonate LastPass while hiding unrelated sender addresses. The emails urge users to click links that lead to a fake SSO page at verify-lastpass[.]com to steal credentials.
“The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it.” reads the alert published by LastPass. “The emails instruct targets to take some type of action (i.e., report suspicious activity, disconnect and lock vault, revoke device, etc.) if something looks off via provided links; these links then direct targets to fake SSO login pages via https[:]//verify-lastpass[.]com as the primary URL to collect users’ credentials (see below).”
LastPass reminds users it will never ask for their master password and is working with partners to take down the phishing sites. Customers are urged to stay cautious and report suspicious LastPass-branded emails to [email protected] to help protect the community.
The advisory provides indicators of compromise (IoCs), including the malicious URLs and related IP addresses.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
如有侵权请联系:admin#unsafe.sh