November 18, 2024 at 12:14PM
Fake Bitwarden ads on Facebook promote a malicious Chrome extension that steals user data. This phishing campaign, identified by Bitdefender Labs, uses deceptive tactics to mimic the Chrome Web Store. Users are advised to ignore update prompts and only install extensions from trusted sources to avoid risks.
### Meeting Takeaways:
1. **Malicious Campaign Overview**:
– Bitdefender Labs reported a new malvertising campaign impersonating the Bitwarden password manager, launched on November 3, 2024.
2. **Fake Advertisements**:
– Facebook ads are falsely warning users about outdated Bitwarden versions, prompting immediate updates through a malicious link.
– The deceptive link (chromewebstoredownload[.]com) mimics Google’s official Chrome Web Store.
3. **Malicious Installation Process**:
– Users are directed to download a ZIP file instead of installing directly from the web store, which should raise red flags.
– The installation process requires enabling ‘Developer Mode’ on Chrome, bypassing standard security checks.
4. **Threat Capabilities**:
– Once installed, the fake extension masquerades as ‘Bitwarden Password Manager’ version 0.0.1 and has permissions to:
– Collect Facebook cookies, including user IDs.
– Gather IP and geolocation data.
– Access Facebook user details and billing information via the Graph API.
– Manipulate browser DOM for deceptive purposes.
– Encode and transmit sensitive data to a controlled URL.
5. **User Recommendations**:
– Bitwarden users should ignore any ads suggesting extension updates.
– Always download extensions directly from the official Chrome Web Store or via links from the official Bitwarden website (bitwarden.com).
– When installing any new extension, carefully check requested permissions and be cautious of overly aggressive permissions.
By disseminating this information, users can better protect themselves from potential malicious threats posing as legitimate software updates.