Friday November 22, 2024

Advisory ID: NCC-CSIRT-3101-009 

Summary:  Bitwarden and other password managers (a software application that is used to store and manage the passwords that a user has for various online accounts and security features. It provides a secure access to all the password information with the help of a master password) are being targeted in Google ads phishing campaigns to steal users' password vault credentials by creating phishing Web pages. 

Vulnerable Platform(s):  Operating Systems

Threat Type:  

  • Phishing
  • Malware

Product :   Mobile Applications and Websites

Version:   All Version

Description:  As consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords. These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.  Here, threat actors have been spotted creating phishing Web pages using advanced adversary-in-the-middle (AiTM) phishing attacks where threat actors utilize specialized toolkits like Evilginx2, Modlishka, and Muraena to create phishing landing Web pages that proxy to legitimate login forms at a targeted service. With this method, visitors to the phishing Web page will see a legitimate service's login form, such as Microsoft 365. When they enter their credentials and MFA (Multi Factor Authentication which is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account etc) verification codes, this information is also relayed to the actual site. However, once a user logs in, and the legitimate site sends the MFA-backed session cookie, the phishing toolkit can steal these tokens for later use. As these tokens have already been verified via MFA, they allow the threat actors to log in to your account without verifying MFA again.

Consquences:  Threat actors may have full access to the victim’s password vault's, login credentials, and authentication cookies. 

Impact/Probability: HIGH/HIGH

Solution :
  • Always confirm that you are entering your credentials on a legitimate website or mobile app.
  • Make sure that you configure multi-factor authentication with your password manager.
  • How to spot a fake/illegitimate website: Check the domain name closely, look for poor spelling and design issues, look for padlock, check download count/review, scrutinize payment options, run a virus scan etc.
References: 

https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/
https://informationsecuritybuzz.com/bitwarden-password-vaults-subject-google-ads-phishing/
https://www.ghacks.net/2023/01/30/bitwarden-password-manager-users-are-being-targeted-by-phishing-ads-on-google/