Update: Bitwarden recently got in touch with us to share the following: “We always remind users looking for Bitwarden not to rely on search engines when looking for the Bitwarden log in page, but to start with Bitwarden.com. A useful tip for users of the web vault is to bookmark http://vault.bitwarden.com. This eliminates the chances of an imposter site grabbing your attention, which can happen when using a search engine.
“Fortunately, the webpages posing as Bitwarden listed in this article are no longer live, but we take this as an opportunity to further remind our users to always exhibit caution and check hyperlinks carefully when entering their credentials.”
A number of prominent password managers have been spoofed in a new phishing campaigns, with the likes of Bitwarden among those affected, experts have warned.
A very convincing fake of the real Bitwarden website, with the url 'bitwardenlogin.com', appeared as a Google Ads search result, pushing it right to the top when users searched with the phrase 'bitwarden password manager'.
The domain on the ad was 'appbitwarden.com', which now thankfully appears to have disappeared from Google's results and the site now seemingly shut down.
Google Ads phishing
Users reported the having come across the phishing ad earlier this week on Reddit and the official Bitwarden forums, voicing their concerns over how similar the fake page and url looked to the real one.
One user even noted that a Secure Sockets Layer (SSL) certificate was present on the fake website, which allows for an encrypted connection and is usually taken as a sign of a safe and legitimate website.
Bleeping Computer tried to test the fake page by inputting fake Bitwarden account credentials to see what would happen, and found that "the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page."
However, the phishing site was shut down before it was unable to confirm what would have happened with real credentials - specifically whether it would "attempt to steal MFA-backed session cookies (authentication tokens) like many advanced phishing pages."
It is referring to adversary-in-the-middle (AiTM) phishing attacks, which use proxies to deliver the MFA prompt to the real website, which sends it back to the phishing site, which then proxies this to the user. The process is then repeated again for the actual input of the MFA code, with neither party non the wiser that the authentication process is being intercepted by a bad actor.
The real site then stores a cookie that contains the authentication information for that session. This cookie is stolen by the threat actor so that it can trick the victim again without needing to go through another MFA request.
Other password managers were also found to be caught up in Google Ads phishing campaigns recently. Security researcher MalwareHunterTeam found the same tactic used to spoof 1Password, another very popular choice of manager.
Google Ads has been hijacked for various malicious ends aside from phishing scams. Recent stories have found it being used as a launching pad for stealing credentials and breaching business networks via identity theft.
The news follows a recent spate of password manager attacks, most notably LastPass, one of the biggest password managers around, where user vaults were stolen, and the keys used to encrypt them were not guaranteed to be safe either, meaning hackers could potentially see all their passwords.
Norton LifeLock users also had their password vaults compromised in a credential stuffing attack, and Passwordstate also suffered a security breach.
The best way to protect your password vaults, aside from being cautious of any phishing websites, is to have MFA set up, and to use a strong password. Since this password will have to be committed to memory, as it can't be stored in the vault itself, it is best to use a random string of words that you can remember easily and yet will be too long and lacking significance to be easily cracked by hackers.
- Here is the best endpoint protection to keep you safe
