Gone Phishin’ (LostPass)

LastPass is the password manager I recommend in my book and to anyone who asks. While there are a handful of good products like it, to me LastPass has a rock-solid security story and all the features anyone could want.

You may have heard last week about a threat to LastPass called “LostPass” on the news. Well, actually, you probably didn’t – the mainstream press doesn’t cover this stuff much. But I’m going to cover it anyway because it demonstrates one of the most troublesome security problems we have today: phishing. Unfortunately, this has nothing to do with a rod and a reel and whistling the theme to The Andy Griffith Show. Phishing is a technique used by scammers to get sensitive information from people by pretending to be someone else – usually via email or a web page (or both). Basically, they trick you into thinking you’re dealing with your bank, a popular web site (PayPal, eBay, Amazon, etc), or even the government. Sometimes they entice you with good stuff (winning a prize, free stuff, special opportunity) and sometimes scare you with bad stuff (freezing your account, reporting you to some authority, or telling you that your account has been hacked). But in all cases, they try to compel you to give up information like passwords or credit card numbers.

Unfortunately, it’s extremely easy to create exact duplicates of web pages. There’s just no real way to identify a fake by looking at it. Sometimes you can tell by looking at the web site’s address, but scammers are very good at finding plausible web site names that look very much like the real one they’re impersonating.

In the case of “LostPass”, a research demonstrated that they could act as a “man in the middle” to steal your LastPass login and password – even if you use two-factor authentication (which I strongly recommend). LastPass is a browser plugin that watches what web pages you’re on, and when it detects a login web form, it offers to automatically fill in your ID and password. This researcher was able to create a malicious web page that could log you out of LastPass and then pop up a dialog asking you to log back in – but not the real LastPass dialog! Instead, it was a fake. So you would enter your email address and password, then it would store this juicy info. It now had the keys to the kingdom! It had access to your entire LastPass vault! All your passwords, secure notes, credit cards!

To keep you from getting suspicious, it would actually then turn around and use the email and password you gave it to actually log into LastPass. This is the “man in the middle” part – to you, it pretends to be LastPass; to LastPass, it pretends to be you. If you had two-factor authentication turned on, it still did you no good. LastPass would tell the malware to prompt the user for the two-factor auth token, and the malware would turn around and ask you for that token – again, placing itself in the middle.

So, should you be worried? Should you abandon LastPass? Yes and no, in that order. Phishing is a problem for ALL browser-based plugins, including those of other password managers. Phishing is a major problem for everyone who uses email or web browsers. So in that sense, you should be worried about it. In a minute, I’ll give you some tips for protecting yourself.

This researcher picked on LastPass because he perceived it to be the top dog in password managers, not because it was the only one susceptible to this attack. He also contacted LastPass well before he released his research (as any good security researcher would do), and LastPass was able to patch their software before he even announced this problem. That is – if you’re using LastPass, you’re already safe from LostPass, as long as you’re updating your browser plugin. LastPass reacted properly to this, from what I can see, and has mitigated this particular risk (and ones like it). LastPass, in my experience, has taken all security concerns very seriously and is constantly updating its software to react to even potential risks. So I feel very comfortable continuing to recommend it.

How can you protect yourself from phishing attacks? Here are some tips:

  1. Never give out sensitive info in email. This includes credit card numbers, passwords, and social security numbers. Any reputable organization will never ask for this via email.
  2. Don’t click on links or buttons in emails. If the email is fake, they will take you to a fake or malicious web site – one that may look exactly like the real one. Instead of clicking the links provided, just go to the site “manually” – that is, type in the main web site address by hand (or Google it) and then log into your account or whatever from there.
  3. Don’t fall for scare tactics. It’s common for scammers to tell you that something bad will happen or has already happened, and you MUST click here NOW to fix it. For example, your PayPal account has been frozen and you need to click this link now to log in and set things straight. Instead, go to your web browser, type in “paypal.com” and log in. If there’s really a problem, you’ll see it immediately when you log in.
  4. Help protect others by using strong, unique passwords on your email accounts. Hackers love to get into your email account and your email address book to send emails to everyone you know. These people (presumably) trust you and will be more likely to click on bad links.
  5. Use LastPass and keep your browser plugin up to date. They are adding new features to help prevent phishing attacks.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top