Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.
As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords.
However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps.
These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.
Recent security breaches at LastPass and credential stuffing attacks at Norton have illustrated that a master password is a weak point for a password vault.
For this reason, threat actors have been spotted creating phishing pages that target your password vault's login credentials, potentially authentication cookies, as once they gain access to these, they have full access to your vault.
Bitwarden users targeted by Google ads phishing
On Tuesday, Bitwarden users began seeing a Google ad titled 'Bitward - Password Manager' in search results for "bitwarden password manager."
While BleepingComputer could not replicate this ad, it was seen by Bitwarden users on Reddit [1, 2] and the Bitwarden forums.
The domain used in the ad was 'appbitwarden.com' and, when clicked, redirected users to the site 'bitwardenlogin.com.'
Source: Reddit
The page at 'bitwardenlogin.com' was an exact replica of the legitimate Bitwarden Web Vault login page, as seen below.
Source: BleepingComputer
In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page.
However, our initial tests used fake credentials, and the page was shut down by the time we began testing with actual Bitwarden test login credentials.
Therefore, we were unable to see if the phishing page would also attempt to steal MFA-backed session cookies (authentication tokens) like many advanced phishing pages.
While many people feel that the URL was a dead giveaway that it was a phishing page, others couldn't tell if it was fake or not.
"God damn. In situations like this how can I detect the fake one? This is truly scary," said the poster of a Reddit topic about the phishing page.
"People are saying to look at the URL, maybe it's just my tiny brain but I can't tell which is the real one," commented another user on the same Reddit post.
To make matters worse, it's not only Bitwarden being targeted by malicious phishing pages in Google ads.
Security researcher MalwareHunterTeam also recently found Google ads targeting the credentials for the 1Password password manager.
Source: MalwareHunterteam
BleepingComputer has not been able to find other ads targeting other password managers, but Google search result advertisements have become a massive cybersecurity problem lately.
Recent research has shown that threat actors are using Google ads to fuel their malware delivery campaigns for initial access to corporate networks, to steal credentials, and for phishing attacks.
Protecting your password vaults
With password vaults containing some of your most valuable online data, it is important to properly protect them.
When it comes to protecting your password vaults from phishing attacks, the first line of defense is always to confirm you're entering your credentials on the correct website.
However, in case you mistakenly enter your credentials on a phishing site, you should always configure multi-factor authentication with your password manager.
The best MFA verification methods to use when securing your account, from best to worst, are hardware security keys (best but most cumbersome), an authentication app (good and easier to use), and SMS verification (can be hijacked in sim swapping attacks).
Unfortunately, even with MFA protection, your accounts can still be vulnerable to advanced adversary-in-the-middle (AiTM) phishing attacks.
AiTM phishing attacks are when threat actors utilize specialized toolkits like Evilginx2, Modlishka, and Muraena to create phishing landing pages that proxy to legitimate login forms at a targeted service.
Using this method, visitors to the phishing page will see a legitimate service's login form, such as Microsoft 365. When they enter their credentials and MFA verification codes, this information is also relayed to the actual site.
However, once a user logs in and the legitimate site sends the MFA-backed session cookie, the phishing toolkit can steal these tokens for later use.
Source: BleepingComputer
As these tokens have already been verified via MFA, they allow the threat actors to log in to your account without verifying MFA again.
Microsoft warned in July that this type of attack was used to bypass multi-factor authentication for 10,000 orgs.
Unfortunately, this leads us back to the first line of defense — make sure you only enter your credentials on a legitimate website or mobile app.
Comments
Super-E- - 1 year ago
Worth noticing that 1Password is less susceptible to such phishing attacks as the Master Security Key adds another layer of security with a randomly generated 34-character password used to initialize new installations. It's harder to AiTM also that piece of information.
Micky1701 - 1 year ago
Need to take criminal action against these types of exploits. They are there for exploitation only.
Would this work f you had a VPN running on your device like ExpressVPN?
Pusher2088 - 1 year ago
A VPN, regardless of the provider, would not have any impact on an attack like this.
Micky1701 - 1 year ago
Ok Thanks
EndangeredPootisBird - 1 year ago
An VPN does not provide meaningful security or privacy.
DyingCrow - 1 year ago
When in doubt, type a random email and password - or something very offensive - on purpose. Phishing pages mostly don't bother showing a "failed login", in an attempt to get more passwords, it just goes through. Then you know it's fake, and gave them nothing.
Other giveaway of a fake website is they may only have the home page, links do nothing, so click around a bit if it looks phishy.
Some phishing sites can be pretty well done, however. Use best judgement.
As a personal recommendation, don't think of a master password as a password - make it a sentence. Some examples:
- manicouldreallyuseacouplecoldbeersrightnow
- illtrashthiscarifigetanotherflattire
- thatbirdtookahugedumponmyneighborsheadyesterday
- thepicassocaughtonfireafteritookashower
- catpoopstincksobadsometimesmakesmemad
Not so hard, is it :)
Micky1701 - 1 year ago
thehobbitswereeatingtheir thirdbreakfastwhengolumofferedthemsomenastyfish!
wewert - 1 year ago
Speaking of ads, since FBI recommends ad-blocking extensions you should consider putting the images for articles like this using an URL that does not include
/google-ads/
cause that will trigger easylist and then they won't be seen.
Lawrence Abrams - 1 year ago
Never thought of that. Good suggestion
Lawrence Abrams - 1 year ago
Fixed.
GregMyers - 1 year ago
I'm reading, "As these tokens have already been verified via MFA, they allow the threat actors to log in to your account without verifying MFA again." and wondering how that would work given the MFA is required with each login and logins are time limited.
Lawrence Abrams - 1 year ago
Many MFA solutions allow you to skip MFA-verification for a certain period of time once you authenticate.
If someone can steal that MFA-verified auth token/cookie, they can then use it to login as you while bypassing MFA.
Some MFA solutions have other detections that make that harder, such as location changes, browser changes, or even IP changes. Not all monitor that.
RobCrypto - 1 year ago
Store most of your password managers password right in the password manager itself! That's right. Just NOT the ENTIRE password! Leave the last 4 or so characters off. This way you can still get the little "1" above the password manager icon and spot if you already have credentials there. The spoofed site will not have the same URL so it it will never display that "1" And if this password manager database is ever hacked no one has the last 4 characters except you and maybe that yellow sticky on your monitor!
thebatsec - 1 year ago
So there is no solution for blocking this ads(in general, malicious or not) for users in an enterprise when searching in google.com?
Micky1701 - 1 year ago
Maybe roll -out duckduckgo as your browser default. If not research best ad blockers and force install of extension add-on . Perhaps force incognito mode so history and cookies are cleared on exit.
PappaFrost - 1 year ago
I'm googling the phrases "BitWarden Password Generator", "BitWarden Login", "BitWarden Password Manager" and I'm not seeing anything sketchy like this. So that's GOOD NEWS! I wonder if Google recently cracked down on this or if it was initially very rare? This is stock Google Chrome with no ad blockers, and no DNS filtering.
Lawrence Abrams - 1 year ago
Sadly, it was fairly easy to find this stuff.
https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-use-google-ads-to-breach-your-network/
We found it easier to search in private mode, and from browsers that you do not normally use. Not sure why that is the case, but *maybe* to avoid any advertising profiles created for you.
Hmm888 - 1 month ago
I think this was a hoax. Never get your facts from social media. It's like getting your facts from Mcdonald Trump.
Lawrence Abrams - 1 month ago
These ads were not a hoax. We were able to access the phishing site associated with the ads.