Several
users
of
Bitwarden’s
password
management
technology
last
week
reported
seeing
paid
ads
to
credential
stealing
phishing
sites
when
they
used
Google
to
search
for
the
official
Web
vault
login
page
for
the
vendor.
Google
says
addressing
the
problem
is
a
top
priority.
The
posts
about
the
problem,
on
Bitwarden’s
community
forum
and
on
Reddit,
prompted
the
vendor
to
warn
its
users
about
the
threat
and
urge
them
to
bookmark
the
correct
URL
for
the
Web
vault.
“Sometimes
imposters
will
try
and
grab
your
attention
if
you
use
a
search
engine.
Stay
safe
and
secure,”
Bitwarden
said
in
an
official
tweet.
Password
Vault
Phishing: A
Growing
Threat
The
vendor’s
warning
echoed
one
from
1Password
last
week
that
referenced
the
same
threat
to
users
of
the
company’s
password
manager.
“It’s
come
to
our
attention
that
some
websites
are
posing
as
1Password,”
the
vendor
said.
“Ensure
that
any
link
directs
you
to
our
website.”
The
malicious
ads
targeting
users
of
Bitwarden
and
1Password
continue
a
string
of
recent
attacks
on
password
managers.
In
December,
for
instance,
LastPass,
among
the
larger
vendors
in
this
space,
disclosed
a
breach
in
which
attackers
accessed
a
backup
copy
of
customer
vault
data,
including
usernames,
passwords,
and
form-filled
data.
The
December
attack
followed
one
from
last August,
where
threat
actors
gained
access
to
the
company’s
source
code.
In
another
incident
that
came
to
light
in
January,
attackers
broke
into
systems
at
Norton
LifeLock
and
accessed
customer
information
that
may
have
included
passwords
stored
in
Norton
Password
Manager.
Google
Ads:
A New
Tactic
The
malicious
advertisements
targeting
Bitwarden
and
1Password
customers
suggest
that
threat
actors
have
added
another
tactic
to
break
into
password
managers
and
compromise
accounts
associated
with
those
passwords.
The
malicious
ads
that
users
of
Bitwarden
and
1Password
reported
last
week
surfaced
high
on
top
of
Google’s
search
engine
results
when
the
users
searched
for
“bitwarden
password
manager,”
for
instance,
or
for
1Password’s
Web
vault.
And
the
landing
pages
are
high
quality: One
Bitwarden
user
reported
finding
a
phishing
website
that
impersonated
the
vendor’s
official
Web
vault
so
well
that
it
was
hard
to
tell
the
difference.
“The
phishing
page
is
very
similar
to
the
vault
login
page,
along
with
an
SSL
cert
and
similar
sounding
domain
name,
to
make
it
look
legit,”
the
user
posted
on
Bitwarden’s
community
forum.
“I
hope
Bitwarden
can
take
down
this
domain
before
someone
gets
their
account
compromised.”
Another
user
on
Bitwarden’s
subreddit
page
posted
a
screen
shot
comparing
Bitwarden’s
official
Web
vault
page
with
the
phishing
page.
“God
damn.
In
situations
like
this,
how
can
I
detect
the
fake
one?
This
is
truly
scary,”
the
user
lamented,
referring
to
just
how
identical
the
phishing
page
looked
compared
with
the
original
one.
The
Growing
Malvertising
Menace
The
paid
Google
Ads
targeting
users
of
password
managers
have
also
highlighted
what
many
have
described
as
the
growing
problem
of
malvertisements
—
that
is,
malicious
advertisements
—
in
Google
search
results
and
elsewhere
on
the
Web.
Last
October,
CrowdStrike
described
a
relatively
new
attack
malvertising
technique
where
a
threat
actor
injects
malicious
code
into
digital
ads
that
are
then
served
to
online
users
via
legitimate
advertising
networks.
Attackers
have
been
using
the
vector
to
deliver
a
wide
range
of
malware
or
links
to
websites
laden
with
malware
or
phishing
sites
for
stealing
credentials
and
other
sensitive
data.
More
recently,
they
have
begun
using
such
ads
to
impersonate
widely
used
and
popular
brands. Recent
examples
include
ads
impersonating
OBS
live-streaming
software,
Bender3D
software,
VirtualBox,
Ccleaner,
and
WinRAR.
In
one
widely
quoted
example
in
January,
an
NFT
influencer
using
the
alias
NFT
God
reported
losing
all
his
cryptocurrency
and
digital
assets
after
a
threat
actor
gained
access
to
his
accounts
via
a
booby-trapped
Google
Ad
for
OBS.
Concerns
over
the
growing
threat
prompted
the
FBI
to
issue
an
advisory
last
December
about
threat
actors
impersonating
brands
using
advertisements
in
search
results.
In
an
emailed
statement
to
Dark
Reading,
a
Google
spokesperson
acknowledged
the
growing
nature
of
the
problem
and
said
that
one
of
the
company’s
top
priorities
currently
is
to
address
it.
“Bad
actors
often
employ
sophisticated
measures
to
conceal
their
identities
and
evade
our
policies
and
enforcement,”
the
statement
noted.
To
combat
it,
Google
has
launched
new
certification
policies
and
advertiser
verification
processes.
The
company
has
also
bolstered
its
ability
to
detect
and
prevent
coordinated
malvertising
scams,
the
spokesperson
said.
Such
efforts
resulted
in
Google
removing
3.4
billion
ads
and
restricting
some
5.7
billion
others
in
2021.
The
company
also
suspended
about
5.6
million
advertiser
accounts
that
same
year.
At
the
same
time,
the
growing
sophistication
and
scale
of
threat
actor
operations
around
malvertising
has
made
curbing
the
problem
a
challenge
for
the
company.
“We
are
aware
of
the
recent
uptick
in
malware
campaigns.
Addressing
it
is
a
critical
priority
and
we
are
working
to
resolve
these
incidents
as
quickly
as
possible,”
the
spokesperson
said.
About Author
" title="
