Users searching for Bitwarden and 1Password's Web vaults on Google have recently reported seeing paid ads with links to cleverly spoofed sites for stealing credentials to their password vaults.

4 Min Read
malvertising concept. Cyber criminal using laptop and smartphone
Source: Bits And Splits via Shutterstock

Several users of Bitwarden's password management technology last week reported seeing paid ads to credential stealing phishing sites when they used Google to search for the official Web vault login page for the vendor.

Google says addressing the problem is a top priority.

The posts about the problem, on Bitwarden's community forum and on Reddit, prompted the vendor to warn its users about the threat and urge them to bookmark the correct URL for the Web vault. 

"Sometimes imposters will try and grab your attention if you use a search engine. Stay safe and secure," Bitwarden said in an official tweet.

Password Vault Phishing: A Growing Threat

The vendor's warning echoed one from 1Password last week that referenced the same threat to users of the company's password manager. "It's come to our attention that some websites are posing as 1Password," the vendor said. "Ensure that any link directs you to our website." 

The malicious ads targeting users of Bitwarden and 1Password continue a string of recent attacks on password managers. In December, for instance, LastPass, among the larger vendors in this space, disclosed a breach in which attackers accessed a backup copy of customer vault data, including usernames, passwords, and form-filled data. The December attack followed one from last August, where threat actors gained access to the company's source code. In another incident that came to light in January, attackers broke into systems at Norton LifeLock and accessed customer information that may have included passwords stored in Norton Password Manager.

Google Ads: A New Tactic 

The malicious advertisements targeting Bitwarden and 1Password customers suggest that threat actors have added another tactic to break into password managers and compromise accounts associated with those passwords.

The malicious ads that users of Bitwarden and 1Password reported last week surfaced high on top of Google's search engine results when the users searched for "bitwarden password manager," for instance, or for 1Password's Web vault. And the landing pages are high quality: One Bitwarden user reported finding a phishing website that impersonated the vendor's official Web vault so well that it was hard to tell the difference. 

"The phishing page is very similar to the vault login page, along with an SSL cert and similar sounding domain name, to make it look legit," the user posted on Bitwarden's community forum. "I hope Bitwarden can take down this domain before someone gets their account compromised."

Another user on Bitwarden's subreddit page posted a screen shot comparing Bitwarden's official Web vault page with the phishing page. "God damn. In situations like this, how can I detect the fake one? This is truly scary," the user lamented, referring to just how identical the phishing page looked compared with the original one.

The Growing Malvertising Menace

The paid Google Ads targeting users of password managers have also highlighted what many have described as the growing problem of malvertisements — that is, malicious advertisements — in Google search results and elsewhere on the Web. Last October, CrowdStrike described a relatively new attack malvertising technique where a threat actor injects malicious code into digital ads that are then served to online users via legitimate advertising networks.

Attackers have been using the vector to deliver a wide range of malware or links to websites laden with malware or phishing sites for stealing credentials and other sensitive data. More recently, they have begun using such ads to impersonate widely used and popular brands. Recent examples include ads impersonating OBS live-streaming software, Bender3D software, VirtualBox, Ccleaner, and WinRAR. In one widely quoted example in January, an NFT influencer using the alias NFT God reported losing all his cryptocurrency and digital assets after a threat actor gained access to his accounts via a booby-trapped Google Ad for OBS.

Concerns over the growing threat prompted the FBI to issue an advisory last December about threat actors impersonating brands using advertisements in search results. 

In an emailed statement to Dark Reading, a Google spokesperson acknowledged the growing nature of the problem and said that one of the company's top priorities currently is to address it. "Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement," the statement noted.

To combat it, Google has launched new certification policies and advertiser verification processes. The company has also bolstered its ability to detect and prevent coordinated malvertising scams, the spokesperson said.

Such efforts resulted in Google removing 3.4 billion ads and restricting some 5.7 billion others in 2021. The company also suspended about 5.6 million advertiser accounts that same year. At the same time, the growing sophistication and scale of threat actor operations around malvertising has made curbing the problem a challenge for the company.

"We are aware of the recent uptick in malware campaigns. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible," the spokesperson said.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights