- Attackers spoof LastPass and Bitwarden with phishing emails from fake newsletter domains and trick users into signing fake DocuSign documents
- Victims are redirected to malicious “compliance” domains flagged by Microsoft Defender and Cloudflare, which have already been taken offline
- None of the passwords were broken; this is domain spoofing and users are encouraged to verify sender addresses and domains before clicking on links
Criminals have been found impersonating popular password managers LastPass and Bitwarden online in an attempt to trick users into sharing their login details and thus gaining access to a treasure trove of passwords and other secrets.
LastPass recently issued an alert to its customers, raising awareness of the ongoing phishing campaign.
But the scam now also appears to have spread to other password managers, with Bitwarden customers also apparently being targeted.
Passwords are secure
In the campaign, LastPass users received emails from the address “[email protected]”.
This address does not belong to LastPass, and is in no way associated with the password manager. In the message, victims are told that the company’s security policies have been updated and that they must navigate to a specific landing page and sign a DocuSign document.
The email comes with a ‘Review and Terms of Access’ button which, if clicked, redirects victims to lastpass compliance[dot]com, another domain unrelated to the password management platform.
Bleeping Computer claims that this domain has already been flagged as malicious by both Microsoft Defender for Office 365 and Cloudflare and is currently offline.
Digging deeper, the reporters uncovered another campaign, almost identical, but now targeting Bitwarden users. In this case, the victims were sent from the “[email protected]” addresses and were redirected to bitwarden compliance[dot]com. Identical method, just a little personal.
It is important to note that neither LastPass nor Bitwarden were compromised as part of this attack.
The companies’ infrastructure is intact and the passwords are secure. This is a typical domain spoofing attack, where the bad guys buy a domain that looks like the legitimate one, hoping that the victims won’t notice the difference.
As usual, the best practice is to always be skeptical of incoming emails and to double-check the domains and email addresses from which they are sent. It is also good to cross-reference these emails with older messages that have been proven to be authentic to see if the domains and addresses match.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



