Fake Bitwarden ads on Facebook push info-stealing Chrome extension

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/fake-bitwarden-ads-on-facebook-push-info-stealing-chrome-extension/

Fake Bitwarden password manager advertisements on Facebook are pushing a malicious Google Chrome extension that collects and steals sensitive user data from the browser.

Bitwarden is a popular password manager app with a "free" tier featuring end-to-end encryption, cross-platform support, MFA integration, and a user-friendly interface.

Its user base has been growing steadily in the past couple of years, especially following security breaches of competitors that led many to look for alternatives.

A new malvertising campaign impersonating Bitwarden was spotted by Bitdefender Labs, whose researchers report that the operation launched on November 3, 2024.

Inside Bitdefender Labs’ Investigation of a Malicious Facebook Ad Campaign Targeting Bitwarden Users

Throughout 2024, Bitdefender Labs has been closely monitoring a series of malvertising campaigns that exploit popular platforms to spread malware.

www.bitdefender.com

Fake Bitwarden ads on Facebook push info-stealing Chrome extension

Fake Bitwarden password manager advertisements on Facebook are pushing a malicious Google Chrome extension that collects and steals sensitive user data from the browser.

www.bleepingcomputer.com

 

[oldschool]

A perfect example of why not using a password manager is a good idea. More extensions, more attack surface. Use only trusted extensions you absolutely need. Less is more.

 

[Thales]

A perfect example of why not using a password manager is a good idea. More extensions, more attack surface. Use only trusted extensions you absolutely need. Less is more.

Agreed!
Also using good dns is another solution or layer.

 

[TairikuOkami]

More extensions, more attack surface.

True, but a password manager can prevent auto-filling the password on a phishing webpage, then again auto-filling in an iframe might help to steal the password?! I give up.

Attackers guide users through a process to install the extension by:

• Unzipping the file
• Going to their browser’s extension settings via chrome://extensions
• Enabling Developer Mode
• Manually loading the unpacked extension (sideloading).

Yeah, I see nothing suspicious about that process. I guess most people would just give up, because it is not click to install.

Also using good dns is another solution or layer.

Good thing I have Google dedicated browser.

 

[oldschool]

True, but a password manager can prevent auto-filling the password on a phishing webpage, then again auto-filling in an iframe might help to steal the password?!

Users can keep unimportant passwords in browser's password manager, and then enable "Fill passwords on account selection" flag. Use the little black book for important passwords and manually input.