LastPass ‘digital will’ phishing attack uses fake death certificate emails

With so much of our lives wrapped up in digital identities and platforms, you might want to spare a thought as to how your loved ones can get into things like your bank accounts or social media after you pay your coins to the ferryman. Password manager LastPass has a feature that can pass your credentials on to your next of kin… and, unsurprisingly, it’s being exploited by phishing scams.

It’s a sneaky and distasteful campaign, starting with an email spoofed from “[email protected]” that claims someone uploaded a death certificate to request access to your LastPass account. That’s an alarming thing to read if you’re still alive, so you might just lower your defenses long enough to click on the link to “lastpassrecovery[dot]com” in the phony email that claims to stop the process. Bam, you’ve given your LastPass master password—or possibly a passkey—to a scammer, and now they have access to every password you’ve stored on the platform. According to the security post, some phishers are actually calling victims (on the phone, with human voices, how retro!) pretending to be LastPass employees and directing them to a phony login site.

LastPass is warning users that the phishing campaign has been active since mid-October and is linked to the well-known CryptoChameleon group, which targets cryptocurrency wallets and logins for quick and hard-to-recover thefts. BleepingComputer reports that the scammers are targeting Binance, Coinbase, Kraken, and Gemini platforms.

It should be noted that LastPass does have a legitimate “digital will” system, and it’s a good idea to make use of it, especially if you’re older or have some pressing health concerns. But, of course, always be careful of any email that directs you to log into a service using a provided link. LastPass’s actual systems have not been compromised in this attack—it’s purely social engineering. The company posted a list of the IPs associated with the attack and a long stretch of associated URLs.

Password managers are an essential tool for most of us at this point, but they’re also a juicy target as a single point of failure. Keep your guard up especially high for anything dealing with them.