The Bitwarden password manager has been one of the objectives of the phishing campaigns which are carried out through google ads,in which steal credentials from the user’s password vault.
Password managers are very useful for companies and users who need to store a large number of unique passwords for each site. Some of these password managers,like Bitwarden, are cloud based hence allow access to credentials through websites and mobile applications.
With these services the passwords are also stored in the cloud in what is called ‘password vaults’,which keep these data in encrypted sets. To access the vaults and decrypt them, users use master passwords. For all this, the master keys become data essentials for cybercriminals which, to obtain them, use ‘phishing’ campaigns -impersonation of a legitimate source-, among other attacks.
In this sense, some users have denounced in forums such as Reddit or Bitwarden’s own that threat actors are carrying out attacks with this service with the objective,creating ‘phishing’ pages that simulate the login page to access the password vault.
Users Found These Fake Bitwarden Web Vault Pages through Google ads,which appeared as the top result after searching for the original website.
As verified by BleepingComputer, the domain used by the threat actors for the ad website was ‘appbitwarden.com’. When clicked, the page automatically redirected users to ‘bitwardenlogin.com’,where a “exact replica” of the actual login page from the Bitwarden vault website (using the domain ‘vault.bitwarden.com’).
In the replicated page, the users they entered the credentials and, when they sent them, the fake page redirected them to the legitimate Bitwarden login page. In this way, data theft is practically imperceptible.
However, as BleepingComputer explains, in the first tests What did your researchers do? they entered false credentials and, when they tried with login credentials of real test session, the page was closed, por what they did not manage to check yes, with this attack, the Cybercriminals also steal ‘cookies’ login with multifactor backed by tokens of authentication, with which a layer of protection is added to the login.
For avoid falling into an attack of these characteristics,it has to check the URL of the page being accessed, so that it can be verified if it is the original or it is suspicious. Likewise, BleepingComputer also emphasizes the importance of protecting data online, above all, the master passwords. For this, it is recommended configure multi-factor authentication in the password management service.
The most valued methods to protect the account are the hardware security keys,a authenticator app y SMS verification,although it can be hijacked in sim swapping attacks, as reported by BleepingComputer.
The importance of protecting data stored in the cloud is further confirmed after the recent security breaches in other password managers like LastPass and its GoTo matrix. In this attack, cybercriminals were able to access elements of customer information.