A new malvertising campaign is using fake Bitwarden ads on Facebook to spread a malicious Chrome extension that steals sensitive user data.
Bitwarden, a popular password manager, is being impersonated in a new Facebook ad campaign. The campaign targets users with deceptive ads claiming their Bitwarden is outdated and needs an immediate update.
Clicking the ad leads to a fake website mimicking the Chrome Web Store, where users are tricked into downloading a malicious Chrome extension.
Fake Bitwarden Facebook ads scam
Bitwarden, known for its secure, user-friendly password management features, has gained traction over the years. However, this popularity has made it a target for cybercriminals.
According to Bitdefender Labs report, the fake Bitwarden Facebook malvertising campaign is active since November 3, 2024. The fake ads claim users are running an outdated version of Bitwarden and urge them to update immediately for password protection.
How the phishing attack works
When a user clicks on the ad, it redirect users to ‘chromewebstoredownload[.]com‘, a fraudulent page mimicking Google’s Chrome Web Store. Instead of offering a direct installation, the site prompts users to download a ZIP file from a Google Drive folder.
The campaign takes advantage of users’ unfamiliarity with the Chrome extension installation process. It instructs them to enable Chrome’s “Developer Mode” and manually sideload the extension, bypassing standard security checks.
Once installed, the extension appears as “Bitwarden Password Manager” version 0.0.1 and secures permissions to intercept and manipulate browser activity.
Malicious activities of the fake extension
The extension’s primary functions include:
- Stealing Facebook cookies like the ‘c_user’ cookie containing user IDs.
- Tracking IP and geolocation data via public APIs.
- Harvesting Facebook user details, account information, and billing data through the Graph API.
- Injecting fake loading messages to create an illusion of legitimacy.
- Encoding and transmitting stolen data to an attacker-controlled Google Script URL.
How to beware of such scams?
To stay safe, users should ignore ads for extension updates, as legitimate updates occur automatically from the Chrome Web Store. Also, always download extensions from the official Chrome Web Store by checking the reviews and ratings.
By remaining vigilant, users can avoid becoming victims of these scams and protect their sensitive information from cybercriminals.
Chandramohan Rajput is the Senior Editor of Extension Garden, where he has been covering Chrome extensions, tech news, and in-depth how-tos since 2019. When he's not exploring new tech, you can find him playing cricket or immersed in Counter-Strike 2.
