Fake Facebook ads lead to a fake version of the popular password manager

social networks, 19.11.2024, 11:30 AM

Behind the fake ads for the Bitwarden password manager on Facebook is a Google Chrome extension that collects and steals sensitive user data from the browser. Attackers use Facebook’s platform to display ads that lead to their site.

Bitwarden is a popular password manager app with cross-platform support, end-to-end encryption and MFA integration.

Bitdefender Labs warns of a Facebook ad campaign launched on November 3 targeting Facebook users aged 18 to 65 across Europe.

The attack begins with a Facebook ad warning users that their passwords are at risk because they are “using an outdated version of Bitwarden” and that they need to update the Bitwarden Chrome extension immediately to protect their passwords. The link from the “chromewebstoredownload(.)com” ad purports to lead to Google’s official Chrome Web Store. The landing page closely resembles the Chrome Web Store, including the “Add to Chrome” button. However, instead of the extension being automatically installed when Add to Chrome is clicked, those who do so are prompted to download a ZIP file from a Google Drive folder.

While this should be a clear red flag, users unfamiliar with the Chrome Web Store can proceed with the installation by following the instructions on the website.

Installation requires enabling “Developer Mode” in Chrome settings and manual loading of the extension (sideloading), so as to bypass the browser’s security checks.

The installed extension “Bitwarden Password Manager” version 0.0.1 has permissions that allow it to collect Facebook cookies, especially the “c_user” cookie that contains user ID, IP and geolocation data, Facebook account information and payment data via Facebook’s Graph API- me.

Bitwarden users are advised to ignore such social media ads asking for an update, as Chrome extensions are automatically updated when the manufacturer releases a new version. Extensions should only be installed via Google’s official web store or by clicking a link on the manufacturer’s official website, in this case, bitwarden.com. Before installing or updating, always review the permissions requested by the extension.

Photo: Pixabay | Pexels