In order to steal users’ password vault credentials, phishing campaigns on Google ads are targeting Bitwarden and other password managers.
The advertised website is a forgery of the genuine article. And it was done expertly. It looks exactly like the real thing and could easily fool anyone. Those who followed the link in the Google Search result were taken to bitwardenlogin.com. That may appear legitimate at first glance. The authentic URL, on the other hand, is bitwarden.com, and the login page URL is vault.bitwarden.com.
Bitwarden informed users about the risk on its Reddit page. “Typing Bitwarden manually into a search engine each time increases your chances of falling prey to a phishing attempt due to spelling errors or malicious domains (with similar names),” a moderator wrote.
This phishing site was meticulously designed to look exactly like Bitwarden’s actual Web Vault login page. BleepingComputer discovered that the site did accept user credentials, but that once submitted, it would redirect them to Bitwarden’s official login page. To compound matters, the phishing site attempted to steal MFA-backed session cookies or authentication tokens in order to gain full access to a Bitwarden user’s password vault.
MalwareHunterTeam recently discovered that criminals were using fake Google ads to target 1Password users, so Bitwarden isn’t the only password manager being targeted by fake ads.
The sources for this piece include an article in BleepingComputer.