Bitwarden password vaults targeted in Google ads phishing attack

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.

As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords.

However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps.

These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.

Recent security breaches at LastPass and credential stuffing attacks at Norton have illustrated that a master password is a weak point for a password vault.

For this reason, threat actors have been spotted creating phishing pages that target your password vault's login credentials, potentially authentication cookies, as once they gain access to these, they have full access to your vault.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,046
Yes, it's BW's turn now. Will increasing BW's KDF to 600 000 and longer length passwords help in preventing?

:(
 
Last edited:

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Yes, it's BW's turn now. Will increasing BW's KDF to 600 000 and longer length passwords help in preventing?

:(
I do not believe that.
It is indicated through a fake website in my interpretation.
 
Last edited:

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Yes, it's BW's turn now. Will increasing BW's KDF to 600 000 and longer length passwords help in preventing?

:(
Not just BW, the article refers to "..and other password managers.."; almost inevitable I believe, once it became obvious how much personal data could be stolen from PW Managers other ones are what I'd go after if I was a hacker.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Anyone here knows if anti-keyloggers like Hitmampro.alert or Keyscrambler could protect from this?
 
Last edited:

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Anyone here knows if anti-keyloggers like Hitmampro.alert or Keyscrambler could protec from this?
The page at 'bitwardenlogin.com' was an exact replica of the legitimate BitWarden Web Vault Login page, as seen below....
...In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page...

1675190186803.png
 
  • Like
Reactions: Gandalf_The_Grey

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
The page at 'bitwardenlogin.com' was an exact replica of the legitimate BitWarden Web Vault Login page, as seen below....
...In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page...

View attachment 272579
Maybe I’m missing. But I don’t think that answers my question.

If you were to go to the phishing page and entered your “correct” login info, would keyscrambler scramble that info so that bad guys only get an “incorrect” login info?
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Maybe I’m missing. But I don’t think that answers my question.

If you were to go to the phishing page and entered your “correct” login info, would keyscrambler scramble that info so that bad guys only get an “incorrect” login info?
Nope because basically you are giving the right info to the bad guys. The anti-keylogger has nothing to do with that otherwise you couldn't login into any site if you were using anti-keylogger. This is a very old trick of getting login info. That's why I use bookmarks or URL's from password managers. This plus DNS is my solution.
 
  • Applause
Reactions: Azure

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Nope because basically you are giving the right info to the bad guys. The anti-keylogger has nothing to do with that otherwise you couldn't login into any site if you were using anti-keylogger. This is a very old trick of getting login info. That's why I use bookmarks or URL's from password managers. This plus DNS is my solution.
thanks
 

n8chavez

Level 18
Well-known
Feb 26, 2021
850
It sounds like the creator of Keepass was right, despite his callousness. Users really do need to secure their systems. Anti-execution software, alternative DNS filtering and, most importantly, common sense are very important.
 
  • Like
Reactions: Azure

enaph

Level 29
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,800
It sounds like the creator of Keepass was right, despite his callousness. Users really do need to secure their systems. Anti-execution software, alternative DNS filtering and, most importantly, common sense are very important.
In this case simple adblocker can easily protect users from this kind of harmful ads.
 

n8chavez

Level 18
Well-known
Feb 26, 2021
850
In this case simple adblocker can easily protect users from this kind of harmful ads.

Right. But I meant more of in a general sense. There's a script that can be run that'll export all your keepass passwords to an unencrypted file. Exploits like that, or this birtwarden one, can be mitigated in large part by common sense. Those that cannot, some sort of anti-executable may be in order. In that way, the creator of keepass was right.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,529
The page at 'bitwardenlogin.com' was an exact replica of the legitimate BitWarden Web Vault Login page, as seen below....
...In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page...
Does not pretty much any PW allow to autofill only on a legitimate domain? Unless a script runs the legitimate domain in an iframe and then copies the credentials from there?
So in this case using PW rather then typing the credentials yourself could have actually prevented phishing? And those who type such a sensitive info surely check the certificate?!
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Does not pretty much any PW allow to autofill only on a legitimate domain? Unless a script runs the legitimate domain in an iframe and then copies the credentials from there?
So in this case using PW rather then typing the credentials yourself could have actually prevented phishing? And those who type such a sensitive info surely check the certificate?!
Sorry for the late reply.
Yes you are right. However, if the extension in the browser does not work properly (which can happen), then the user has to manually enter the data. When I used an extension, I wasn't afraid of such attacks, because the situation you described was in place
This is a type of attack that only works in certain cases, but it is still quite common unfortunately.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top