Hackers are using fake Google ads to steal Bitwarden password vaults — how to stay safe
Fake ads lead to a phishing site impersonating Bitwarden’s web vault login page
Hackers are once again abusing Google Ads to take unsuspecting users to phishing sites but this time, they have their sights set on Bitwarden and other password managers.
With one of the best password managers, you can securely store all of your login credentials in one place and even generate new, strong and complex passwords using their built-in password generators. However, with all of that sensitive data in one place, this makes password managers the perfect target for cybercriminals.
Besides KeePass which stores your passwords locally, most password managers are cloud-based so that you can access your passwords through their websites or mobile apps. Bitwarden and other password managers store your passwords in a password vault where they are encrypted and you need to use your master password to unencrypt them.
Now though, it appears that hackers are using fake ads on Google Search to lead Bitwarden users to convincing-looking phishing sites with the aim of stealing their password vaults.
Why you shouldn’t click on the first results in Google Search
According to a new report from BleepingComputer, Bitwarden users began seeing an ad with the title “Bitward - Password Manager” in Google’s search results when looking for “bitwarden password manager” earlier this week.
They then took to both Reddit and the Bitwarden forums in an attempt to warn others. While some could easily spot that the ad led to a phishing site due to the fact that the domain was “appbitwarden.com” instead of just “bitwarden.com”, many users did end up clicking on it. Doing so redirected them to the site “bitwardenlogin.com”.
This phishing site was carefully designed to look like an exact replica of Bitwarden’s actual Web Vault login page. In its testing, BleepingComputer found that the site did accept user credentials but once they were submitted, it would redirect them to Bitwarden’s official login page. To make matters worse, the phishing site also tried to steal MFA-backed session cookies or authentication tokens to gain full access to a Bitwarden user’s password vault.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Bitwarden isn’t the only password manager being targeted by fake ads though, as MalwareHunterTeam recently discovered that criminals had turned to fake Google ads to target 1Password users.
Ads are an important part of the online ecosystem and without them, we wouldn’t have Google Search, Gmail, Google Docs or any other of the search giant’s online productivity tools. However, you should think twice before clicking on any ads in a search engine as they could lead to phishing sites. Since anyone can buy an ad online, hackers can as well. While Google has strict security checks on its ads, bad ads do manage to slip through the cracks from time to time.
For this reason, you should always scroll past the first results on Google Search as they are usually ads. Bitwarden and other companies’ actual sites appear further down in the search results. Clicking on the first result you see may seem natural but you could be putting yourself at risk by doing so.
How to protect the credentials stored in your password manager
If you use a password manager, you need to make sure you’re taking additional steps to protect the passwords stored in your vault. The first of which is to enable multi-factor authentication (MFA) so a hacker would need your password and something else to access your account.
One-time, SMS codes may be a popular form of authentication but they’re actually not that secure since an attacker could use sim swapping to hijack your codes. Authentication apps like Google Authenticator are a better method and they aren’t that difficult to use. Meanwhile, physical security keys are the best method for protecting your accounts, but they can be a hassle.
At the same time, you want to be sure you’re using the best antivirus software to protect your PC, the best Mac antivirus software to protect your Mac and the best Android antivirus apps to protect your Android smartphone. For those that are very security conscious and more at risk than others, you may also want to invest in the best identity theft protection as these services can help you recover from fraud as well as get back your identity if it’s stolen online.
Password managers are great, but you may not need one now that Google, Apple, Microsoft and other tech giants are pushing passkeys as an alternative to passwords. However, even then, you need to be careful where you click even if you’re on a legitimate search engine.
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.