Bitwarden users raise alarm over 'highly convincing' Google malvertising risks
The volume of fake ads impersonating popular software has increased significantly in recent months
Bitwarden customers have raised concerns that malicious Google ads were being used to target users with malware-laden websites and dupe them into divulging login details.
Rumblings of fake Bitwarden ads first emerged on the company’s official forum earlier this week, with one user revealing they had encountered a malicious website promoted on the search engine.
The site attempted to impersonate the official Web Vault login feature for the password manager.
Prashant Gonga, the user that first highlighted the issue, said they reported the ad with the domain registrar and called on the Bitwarden compliance team to investigate the problem.
“The phishing page is very similar to the vault login page, along with an SSL certificate and similar-sounding domain name to make it look legit,” they said.
“I hope Bitwarden can take down this domain before someone gets their account compromised.”
Users on the Bitwarden subreddit also flagged the issue in two separate posts, with some noting that the fake and legitimate websites were virtually indistinguishable.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“God damn. In situations like this, how can I detect the fake one? This is truly scary,” one post on the subreddit said.
Another post issued a warning to users and advised them to report the malicious link to Google.
While the fake website highlighted by users appears to have been taken down at this stage, this follows similar instances of threat actors using malicious ads to target password manager customers.
Just this week, security researchers discovered that Google results for another popular password manager, 1Password, were showing malicious ads. The issue prompted the company to issue a warning to users via social media urging them to remain vigilant and avoid clicking dubious links.
“It’s come to our attention that some websites are posing as 1Password,” the company said. “Remember to act cautiously when clicking links and sharing credentials or personal information online. Ensure that any link directs you to our website.”
Growing malvertising risks
The issue of malvertising, whereby malicious software or links are disguised as legitimate ads, has been thrust firmly into the spotlight in recent weeks.
Earlier this month, cryptocurrency influencer ‘NFT God’ revealed on Twitter that they mistakenly downloaded a malicious link for streaming software OBS.
After attempting to download the software via a malicious link on the website, the victim’s Substack and Twitter accounts were hacked and their NFT wallet was stolen.
The scale of this issue was further highlighted by security researcher, Will Dormann, who revealed that the fake OBS promotion was just one of a number of malicious ads present on Google at the time.
Security experts at the time questioned why Google couldn't screen links in paid advertisements in the Virus Total platform owned by the tech giant.
Asked about its plans to rectify the persistent issue and the idea of running links through Virus Total, Google declined to provide comment on the matter to IT Pro.
Since the case of malvertising involving OBS was raised, Dormann continued to highlight the issue affecting numerous other popular applications used by consumers and businesses alike.
Research from HP Wolf Security Threat Research Team found that malvertising campaigns have consistently grown in both volume and sophistication. Popular software such as Audacity, Microsoft Teams, Discord, and Adobe Creative Cloud have all been mimicked in recent months to dupe users.
David Emm, Principal Security Researcher at Kaspersky urged web users to be cautious when looking at search results amidst the rising issue of malvertising.
“Those using the web to search for products and services should educate themselves about the potential dangers of clicking on random links,” he said.
“In particular, they should be cautious when looking at search results and avoid blindingly clicking on links without checking first. It’s not always easy to tell legitimate from fake ads.
“That’s why it’s important not to click blind on popup ads. It’s much better to type in the address of the vendor yourself – to avoid being redirected to a fake site – and look there for the offers they have.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.