Malvertising: Fake advertising on Facebook targets Bitwarden users
Security researchers have observed a malwaretising campaign in which an alleged security update for Bitwarden was advertised via Facebook.
With malwaretising, cyber criminals are constantly trying to foist malware on Internet users.
(Image: Balefire / Shutterstock.com)
Security researchers from Bitdefender Labs describe a so-called malwaretising campaign on their blog, which apparently targets Facebook business accounts in particular. Victims may be threatened with financial losses.
According to the report, cybercriminals placed advertisements on the platform to spread malware. The so-called sponsored post advertised a supposed security update for the Chrome extension of the password manager Bitwarden. The ad linked to a fake website that was modeled on the official Google Chrome Web Store.
Malware installation: victims have to help with the crowbar
With the installation instructions on the fake website, the cybercriminals tried to trick their victims into bypassing the browser's security check mechanisms: After clicking on the "Add to Chrome" button on the website, the victim was redirected to a Google Drive link that contained the malware, packaged in a -zip file. Next, victims were told to unzip the .zip file and then switch to developer mode in Chrome settings to manually install the unzipped malicious extension.
Videos by heise
Once installed, the malware requests extensive permissions that allow it to manipulate users' online activities, such as permissions to interact with websites, modify network requests and access cookies and storage. At the heart of the attack is a script called "background.js". It extracts IP and location data as well as Facebook cookies and account data, including payment information such as credit card details and billing addresses. The background.js script forwards these to a Google Apps script URL, which serves as a command-and-control server for the attackers.
Such attacks are often difficult to detect as they use legitimate platforms and names, in this case Facebook and Bitwarden. Malvertising is also a known problem with the major search engines Google and Bing.
According to the blog post from Bitdefender Labs, you can protect yourself from such attacks by only installing browser extensions via the official browser webstore and refraining from using links on third-party sites or in advertisements. Before installing an extension, you should always check its permissions. The declarativeNetRequest and webRequest authorizations, coupled with access to cookies, are often relatively clear indications of malware. They name further possible Indicators of Compromise (IoC) in the blog post. The IT researchers also recommend activating the security features of the browser used and deactivating developer mode if it is not required.
(kst)
