Google Ads phishing campaigns are targeting Bitwarden and other password managers to gain users’ password vault credentials. Password managers are now necessary to handle all of the passwords as businesses and consumers move toward using different passwords on every website. However, most password managers are cloud-based, enabling users to access their credentials through websites and mobile applications, unless they employ a local password manager like KeePass.
These passwords are kept in the cloud in “password vaults” that encrypt the data using the users’ master passwords, typically. A master password is a weakness for a password vault, as evidenced by recent security breaches at LastPass and credential stuffing attempts at Norton. Due to the fact that once they have access to your login information and maybe authentication cookies, threat actors have been seen developing phishing sites that target your password vault.
On Tuesday, users of Bitwarden started to notice a Google advertisement for “Bitward – Password Manager” in search results for “bitwarden password manager.” Although some sources could not replicate this advertisement, Bitwarden users could view it on Reddit [1, 2] and the Bitwarden forums. The advertisement’s domain, “appbitwarden.com,” led viewers to the website “bitwardenlogin.com” when they clicked on it. The Bitwarden Web Vault login page was identical to the page at “bitwardenlogin.com.”
In testing, the fake Bitwarden login page will take user information and, after it has been entered, will lead people there. But by the time testing started with genuine Bitwarden test login credentials, the page had already been taken down because earlier tests had used fictitious credentials. Because of this, it wasn’t possible to determine if the phishing website would try to capture MFA-backed session cookies (authentication tokens), as many sophisticated phishing pages do. Many people believe that the URL was a dead giveaway and the page was phishing, while others couldn’t determine if it was real.
“God damn. In situations like this how can I detect the fake one? This is truly scary,” said the poster of a Reddit topic about the phishing page. “People are saying to look at the URL, maybe it’s just my tiny brain but I can’t tell which is the real one,” commented another user on the same Reddit post.
Worse, bad phishing URLs are not just targeting Bitwarden in Google advertisements. Recently, the 1Password password manager’s login information was the focus of Google advertisements, according to security researcher MalwareHunterTeam. However, Google search result adverts have recently become a significant cybersecurity issue. The media has not yet discovered other ads targeting alternative password managers. Recent studies have revealed that threat actors use Google advertisements as the basis for their malware distribution operations to get initial access to corporate networks, steal passwords, and for phishing assaults.
Safeguarding password vaults is crucial since they house some of your most sensitive internet data. Verifying that you are entering your credentials on the proper website is always the first line of defense when it comes to safeguarding your password vaults against phishing attacks. However, you should always set up multi-factor authentication using your password manager in case you unintentionally input your credentials on a phishing website. From best to worst, physical security keys, authentication apps, and SMS verification (which can be hijacked in sim-swapping attacks) are the top MFA verification techniques to employ while protecting your account.
Unfortunately, modern adversary-in-the-middle (AiTM) phishing attempts can still target your accounts even with MFA protection. AiTM phishing attacks are when threat actors develop phishing landing sites that function as proxies to legitimate login forms at a targeted service using specific toolkits like Evilginx2, Modlishka, and Muraena. Visitors to the phishing page will see the login form for a genuine service, like Microsoft 365, using this technique. Users also transmit this information to the real site when they submit their login credentials and MFA verification codes. However, the phishing toolkit can take these tokens for later use after a user enters and the real site delivers the MFA-backed session cookie.
These tokens enable threat actors to access your account without having to check MFA again because they have already undergone MFA verification. Microsoft issued a warning in July about the use of this kind of attack to get around multi-factor authentication for 10,000 organizations. Sadly, this brings us back to the first line of defense: only enter your credentials on reputable websites or mobile apps.