Hackers have found a new way to exploit social media users by targeting Facebook ads to distribute counterfeit versions of popular Chrome password managers like Bitwarden. The scheme, described in a recent Bitdefender report, centers around misleading advertisements that create urgency, claiming that users need to update their Bitwarden apps to protect themselves from cyber threats.
The malicious ads imply that the viewer uses an outdated version of Bitwarden—a popular password management tool—and encourage them to click through for an important update. Users are redirected to a counterfeit webpage that closely resembles the official Chrome Web Store but is nothing more than a trap designed to install harmful software. The campaign was detected as recently as November 3, 2024, primarily targeting European users.
Facebook ads fueling fake Bitwarden updates: How hackers are stealing your sensitive data
Once users engage with the ad, they are taken through a series of deceptive URLs that lead them to a phishing site mimicking the legitimate Chrome Web Store. Instead of the usual seamless installation process for Chrome extensions, victims find themselves directed to a Google Drive link where they are required to download a ZIP file. The file instructs users to manually install the fake Bitwarden extension in Chrome’s Developer Mode—a risky maneuver akin to granting admin access.
Upon installation, the fake extension begins its nefarious tasks, spying on user activity and capturing personal information. This includes sensitive data such as cookies, IP addresses, Facebook user IDs, passwords, and payment information. With this data, hackers can commit identity theft and launch further attacks on victims’ financial accounts, especially if they have significant Facebook activity.
Bitdefender highlights that while employing legitimate ad networks to distribute malware is not new, the current intelligence showcases a troubling rise in such activities, particularly through social media channels.
The fake ads often induce panic, showcasing alarming messages like “Warning: Your Passwords Are at Risk!” to mislead users into thinking immediate action is necessary. Such strategies exploit common fears surrounding online security, making it crucial for users to recognize the signs of a scam.
Once potential victims land on the fraudulent Chrome Web Store, they’re instructed to download a ZIP file, which, when unpacked, contains the malicious extension. This extension requests extensive permissions, including operating on all websites, modifying network requests, and accessing storage and cookies. Such permissions grant it unfettered access to exfiltrate information from the browser, creating a significant security risk.
As part of its findings, Bitdefender advises users and security teams to be vigilant about browser extensions requesting excessive permissions. The presence of obfuscated functions, such as “chrome.runtime.onInstalled.addListener,” can also be a red flag. Users should verify the authenticity of an update and the legitimacy of ads they encounter on social media to avoid falling victim to these traps.
Bitdefender is not alone in its concern, as other cybersecurity experts have echoed similar warnings. The legitimacy of advertisements can often be misconstrued, allowing hackers to leverage these platforms for malicious purposes. Promoting fake updates to reputable software brands is particularly troubling, especially considering the increasing reliance on password managers in daily online activities.
Image credits: Furkan Demirkaya/Flux AI
