Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users’ password vault credentials.
As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords.
However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps.
These passwords are stored in the cloud in “password vaults” that keep the data in an encrypted format, usually encrypted using users’ master passwords.
Recent security breaches at LastPass and credential stuffing attacks at Norton have illustrated that a master password is a weak point for a password vault.
For this reason, threat actors have been spotted creating phishing pages that target your password vault’s login credentials, potentially authentication cookies, as once they gain access to these, they have full access to your vault.
Bitwarden users targeted by Google ads phishing
On Tuesday, Bitwarden users began seeing a Google ad titled ‘Bitward – Password Manager’ in search results for “bitwarden password manager.”
While BleepingComputer could not replicate this ad, it was seen by Bitwarden users on Reddit [1, 2] and the Bitwarden forums.
The domain used in the ad was ‘appbitwarden.com’ and, when clicked, redirected users to the site ‘bitwardenlogin.com.’
Source: Reddit
The page at ‘bitwardenlogin.com’ was an exact replica of the legitimate Bitwarden Web Vault login page, as seen below.
Source: BleepingComputer
In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page.
However, our initial tests used fake credentials, and the page was shut down by the time we began testing with actual Bitwarden test login credentials.
Therefore, we were unable to see if the phishing page would also attempt to steal MFA-backed session cookies (authentication tokens) like many advanced phishing pages.
While many people feel that the URL was a dead giveaway that it was a phishing page, others couldn’t tell if it was fake or not.
“God damn. In situations like this how can I detect the fake one? This is truly scary,” said the poster of a Reddit topic about the phishing page.
“People are saying to look at the URL, maybe it’s just my tiny brain but I can’t tell which is the real one,” commented another user on the same Reddit post.
To make matters worse, it’s not only Bitwarden being targeted by malicious phishing pages in Google ads.
Security researcher MalwareHunterTeam also recently found Google ads targeting the credentials for the 1Password password manager.
Source: MalwareHunterteam
BleepingComputer has not been able to find other ads targeting other password managers, but Google search result advertisements have become a massive cybersecurity problem lately.
Recent research has shown that threat actors are using Google ads to fuel their malware delivery campaigns for initial access to corporate networks, to steal credentials, and for phishing attacks.
Protecting your password vaults
With password vaults containing some of your most valuable online data, it is important to properly protect them.
When it comes to protecting your password vaults from phishing attacks, the first line of defense is always to confirm you’re entering your credentials on the correct website.
However, in case you mistakenly enter your credentials on a phishing site, you should always configure multi-factor authentication with your password manager.
The best MFA verification methods to use when securing your account, from best to worst, are hardware security keys (best but most cumbersome), an authentication app (good and easier to use), and SMS verification (can be hijacked in sim swapping attacks).
Unfortunately, even with MFA protection, your accounts can still be vulnerable to advanced adversary-in-the-middle (AiTM) phishing attacks.
AiTM phishing attacks are when threat actors utilize specialized toolkits like Evilginx2, Modlishka, and Muraena to create phishing landing pages that proxy to legitimate login forms at a targeted service.
Using this method, visitors to the phishing page will see a legitimate service’s login form, such as Microsoft 365. When they enter their credentials and MFA verification codes, this information is also relayed to the actual site.
However, once a user logs in and the legitimate site sends the MFA-backed session cookie, the phishing toolkit can steal these tokens for later use.
Source: BleepingComputer
As these tokens have already been verified via MFA, they allow the threat actors to log in to your account without verifying MFA again.
Microsoft warned in July that this type of attack was used to bypass multi-factor authentication for 10,000 orgs.
Unfortunately, this leads us back to the first line of defense — make sure you only enter your credentials on a legitimate website or mobile app.
