Hackers pushing fake Bitwarden updates hit thousands of devices with data stealing malware

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)

  • Fake facebooks ads are posing as Bitwarden security updates
  • The updates actually install a malicious browser extension
  • The extensions steals personal and financial data from Facebook

Bitdefender has warned hackers are using the Facebook advertising platform to trick Bitwarden users into installing a fake security update that steals personal data and credit card information from businesses and individuals alike.

The advert lures a user through a string of redirected URLs before landing them at a phishing page designed to mimic the official Chrome Web Store.

Once downloaded, the malware leeches data from Facebook’s Graph API which is then sent to the attacker via a Google Script URL that acts as a command and control (C2) server.

Fake facebook ads spreading malware

The fake adverts create a sense of urgency for users, displaying messages such as “Warning: Your Passwords Are at Risk!” and using Bitwarden branding to appear as a legitimate advert.

Once lured to the fake Chrome Web Store, users then download a zip file that is manually loaded as a Chrome browser extension using Developer mode, avoiding the usual security checks that would take place when adding a browser extension.

The extension then asks for permission to operate on all websites, modify network requests, and access storage and cookies allowing it to collect and exfiltrate the data your browser has access to. Once the extension is opened, the malware looks for the ‘c_user’ cookie on Facebook, which contains the Facebook user ID.

The malware also uses a background.js script to harvest data from Facebook cookies, including information on location and IP address, and uses the Facebook Graph API to extract all of the stolen data to the hackers C2 server.

Bitdefender recommends that users and security teams keep an eye out for extensions that request excessive permissions, as well as those with obfuscated functions such as ‘chrome.runtime.onInstalled.addListener’ and signatures that request to graph.facebook.com APIs.

Users should also double check the authenticity of an update with the manufacturer, pay close attention to updates pushed through adverts and social media, and use one of the best antivirus services available as an additional line of defense.

While this campaign has since been taken down, the attack shows the potential for malicious actors to use Facebook advertising and social media to push further malware on a global scale.

You might also like

TOPICS
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
A padlock resting on a keyboard.
Understanding and avoiding malvertizing attacks
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
unblock facebook with vpn
A new Facebook phishing campaign looks to trick you with emails sent from Salesforce
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
Latest in Pro
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
Hospital
Major Oracle outage hits US Federal health record systems
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A computer screen showing a spreadsheet in use.
This entire nation's public health department was found to be running on a single Excel spreadsheet
Latest in News
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems