Hackers pushing fake Bitwarden updates hit thousands of devices with data stealing malware

News
By published

Fake Facebook adverts are linking to malware

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Fake facebooks ads are posing as Bitwarden security updates
  • The updates actually install a malicious browser extension
  • The extensions steals personal and financial data from Facebook

Bitdefender has warned hackers are using the Facebook advertising platform to trick Bitwarden users into installing a fake security update that steals personal data and credit card information from businesses and individuals alike.

The advert lures a user through a string of redirected URLs before landing them at a phishing page designed to mimic the official Chrome Web Store.

Once downloaded, the malware leeches data from Facebook’s Graph API which is then sent to the attacker via a Google Script URL that acts as a command and control (C2) server.

Latest Videos From

Fake facebook ads spreading malware

The fake adverts create a sense of urgency for users, displaying messages such as “Warning: Your Passwords Are at Risk!” and using Bitwarden branding to appear as a legitimate advert.

Once lured to the fake Chrome Web Store, users then download a zip file that is manually loaded as a Chrome browser extension using Developer mode, avoiding the usual security checks that would take place when adding a browser extension.

The extension then asks for permission to operate on all websites, modify network requests, and access storage and cookies allowing it to collect and exfiltrate the data your browser has access to. Once the extension is opened, the malware looks for the ‘c_user’ cookie on Facebook, which contains the Facebook user ID.

The malware also uses a background.js script to harvest data from Facebook cookies, including information on location and IP address, and uses the Facebook Graph API to extract all of the stolen data to the hackers C2 server.

Bitdefender recommends that users and security teams keep an eye out for extensions that request excessive permissions, as well as those with obfuscated functions such as ‘chrome.runtime.onInstalled.addListener’ and signatures that request to graph.facebook.com APIs.

Users should also double check the authenticity of an update with the manufacturer, pay close attention to updates pushed through adverts and social media, and use one of the best antivirus services available as an additional line of defense.

While this campaign has since been taken down, the attack shows the potential for malicious actors to use Facebook advertising and social media to push further malware on a global scale.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.