



Last week, several users of Bitwarden’s password management technology reported seeing paid advertisements for credential-stealing phishing sites when using Google to search for the vendor’s official web vault login page.

Google has stated that addressing this issue is a top priority.

Posting on Bitwarden’s community forums and Reddit about the issue, the vendor warned users of the threat and encouraged them to bookmark the correct URL for Web Vault.

“When using search engines, scammers may try to get your attention. Stay safe,” Bitwarden said in an official tweet.

Password Vault Phishing: A Growing Threat

The vendor’s warning was the same as 1Password’s last week, referring to the same threat to users of the company’s password manager. “Some of him found the website masquerading as his 1Password,” said the vendor. “Make sure all links lead to our website for her.”

Malicious ads targeting users of Bitwarden and 1Password continue a series of recent attacks on password managers. For example, in December, LastPass, one of his leading vendors in the space, said attackers accessed a backup copy of her customer’s vault data, including usernames, passwords, and form-filled data. disclosed the infringement. The December attacks followed last August, when attackers accessed the company’s source code. In another incident uncovered in January, attackers compromised Norton LifeLock’s systems and accessed customer information that could include passwords stored in Norton Password Manager.

Google Ads: new tactics

Malicious ads targeting Bitwarden and 1Password customers suggest the attackers have added another tactic to break into password managers and compromise the accounts associated with those passwords.

Malicious ads reported by Bitwarden and 1Password users last week appeared at the top of search results on Google’s search engine when users searched for “bitwarden password manager” or 1Password’s Web Vault. Also, the landing page is of high quality. One of her Bitwarden users reports that she found a phishing website masquerading as the vendor’s official her Web Vault so it was hard to tell.

“The phishing page looks very much like the vault login page, along with an SSL certificate and a similar-sounding domain name to make it look legit,” a user posted on Bitwarden’s community forums. We hope Bitwarden can remove this domain before someone’s account is compromised.”

Another user on Bitwarden’s subreddit page posted a screenshot comparing Bitwarden’s official web vault page and the phishing page. “Oh my God, how can we detect fakes in this situation? This is really scary,” the user lamented, noting how the phishing page looked the same compared to the original.

The growing threat of malvertising

Paid Google ads targeted at password manager users have been described by many as a growing problem of malicious ads, namely malicious ads in Google search results and elsewhere on the web. I also highlighted that there is. Last October, CrowdStrike described a relatively new malvertising attack technique in which threat actors inject malicious code into digital ads and deliver them to online users via legitimate ad networks.

Attackers have used this vector to deliver various malware, links to malware-laden websites, or phishing sites to steal credentials and other sensitive data. More recently, such ads have been used to impersonate widely used and popular brands. Recent examples include ads spoofing OBS live streaming software, Bender3D software, VirtualBox, Ccleaner, and WinRAR. One of his widely cited examples back in January was that his NFT influencer, who uses the alias NFT God, was booby-trapped by a threat actor via his Google ad on his OBS. After accessing my account, I reported that I lost all of my cryptocurrencies and digital assets.

Concerned about the growing threat, the FBI issued an advisory last December about attackers using ads in search results to impersonate brands.

In an emailed statement to Dark Reading, a Google spokesperson acknowledged the growing nature of the problem, and one of the company’s top priorities now is addressing it. said. “Malicious individuals often use sophisticated means to hide their identities to evade our policies and enforcement,” the statement said.

To combat this, Google has launched a new certification policy and advertiser verification process. The company has also enhanced its ability to detect and prevent coordinated malvertising scams, the spokesperson said.

As a result of these efforts, Google will remove 3.4 billion ads and restrict about 5.7 billion ads in 2021. The company also suspended about 5.6 million advertiser accounts in the same year. At the same time, the growing sophistication and scale of malvertising threat actor activity poses a challenge for the company to contain the problem.

“We are aware of the recent increase in malware campaigns. Addressing this is a top priority and we are working to resolve these incidents as quickly as possible,” the spokesperson said. increase.

