Bitwarden Users Targeted in Malicious Facebook Ad Campaign

Bitwarden browser extension
Fake Ads to Lure Users In | Image: Bitdefender

Bitdefender Labs uncovers a sophisticated malvertising campaign spreading malware disguised as a Bitwarden security update.

A new malvertising campaign exploits Facebook’s advertising platform to target Bitwarden users. The campaign uses deceptive ads to trick users into installing a malicious browser extension that impersonates a Bitwarden security update.

The ads, which appear legitimate, warn users that their passwords are at risk and urge them to update their Bitwarden extension immediately. This sense of urgency, combined with the use of Bitwarden branding, makes the ads very convincing.

When users click on the ad, they are taken to a fake webpage that mimics the official Chrome Web Store. If they click “Add to Chrome,” they are redirected to a Google Drive link containing a zip file with the malicious extension.

The attackers then guide users through a process to install the extension, bypassing browser security checks. Once installed, the extension requests extensive permissions, allowing it to intercept and manipulate the user’s online activities.

What the Malware Does

The malware collects a variety of sensitive data, including:

  • Facebook user ID and name
  • Business accounts and ad account information
  • Credit card and billing details associated with ad accounts
  • IP and geolocation data

This data is then sent to a Google Script URL, which acts as the command-and-control (C2) server for the attackers.

Who Is at Risk?

This campaign specifically targets consumers aged 18 to 65 across Europe. However, Bitdefender Labs warns that the campaign could expand further and affect users worldwide.

How to Protect Yourself

Bitdefender Labs recommends that users be wary of any ads that urge them to update their software, even if they appear to come from a trusted source. Users should also make sure that they only download software from official websites and app stores.

If you think you may have installed this malicious extension, you should remove it from your browser immediately and change your passwords. You should also report the ad to Facebook.

Related Posts: