Professionals have issued a warning that a number of well-known password managers, including Bitwarden, have been faked in recent phishing attacks.

When users searched for “bitwarden password manager,” a highly convincing replica of the actual Bitwarden website with the url “bitwardenlogin.com” popped up as the top Google Ads search result.

The domain displayed in the advertisement was “appbitwarden.com,” which has luckily vanished from Google’s search results and appears to have been shut down.

Phishing through Google Ads

Users on Reddit and the official Bitwarden forums reported seeing the phishing ad earlier this week, expressing alarm over the striking similarity between the bogus website and url and the actual one.

An SSL (Secure Sockets Layer) certificate, which provides an encrypted connection and is typically seen as an indication of a safe and trustworthy website, was also spotted on the phoney page by one user.

In order to test the legitimacy of the bogus website, we logged into a phoney Bitwarden account and supplied fraudulent credentials to see what would happen.

The phishing site was taken down before it could test what would have occurred if actual credentials had been used on it, especially if it would have “attempted to collect MFA-backed session cookies (authentication tokens) like many sophisticated phishing pages.”

This is a reference to adversary-in-the-middle (AiTM) phishing attempts, which include the use of proxies to forward the MFA prompt from the legitimate website back to the phishing site, which then forwards it to the user through proxies. This is performed once again when entering the MFA code itself, and neither side is any the wiser that their authentication is being monitored.

The legitimate site will then keep a “session cookie” on their server, which will hold the user’s authentication details for the duration of their visit. The bad guy gets this cookie so he can fool the victim again without triggering another MFA check.

Recent research discovered that phishing attempts using Google Ads targeted many password managers. MalwareHunterTeam discovered the identical method was used to fake 1Password, another widely used password manager.

In addition to phishing schemes, Google Ads has been misused for other nefarious purposes. According to recent reports, it has been used as a springboard for credential theft and the subsequent intrusion of corporate networks through identity theft.

The announcement comes after a string of assaults on popular password managers like LastPass, one of the most widely used password managers, in which user vaults were stolen and the keys used to encrypt them were not guaranteed to be safe, exposing users’ credentials to potential compromise.

Similarly, a credential stuffing assault compromised the password vaults of Norton LifeLock customers, while a security vulnerability exposed sensitive information in Passwordstate.

Along with being wary of phishing websites, multi-factor authentication (MFA) and strong passwords are the greatest ways to keep your password vaults secure. Considering that you won’t be able to keep this password in the vault, it’s better to use a long, meaningless string of random words that you can easily remember.