Password managers are used by individuals and businesses to improve password security. They help individuals create complex passwords, eliminate the need to remember passwords, and provide a degree of protection against phishing attacks, but their very nature makes them a target for cybercriminals.

A password manager is used to store an individual’s entire collection of passwords and other sensitive data such as documents, credit card information, and more. When these solutions are provided to employees, they contain credentials for corporate accounts. That information is extremely valuable to cybercriminals. Password managers incorporate all the security features necessary to protect that information, and many password managers operate under the zero-knowledge model, so even the password manager provider does not know and cannot discover users’ passwords; however, that does not mean that password manager vaults cannot be accessed by unauthorized individuals.

One of the easiest ways to access password vaults is through phishing. Phishing is commonly conducted via email and social engineering techniques are used to trick individuals into visiting a malicious website that spoofs a particular brand. Phishing attacks may also solely be conducted via the Internet, with traffic sent to the malicious websites through malicious adverts or search engine poisoning – getting malicious websites to appear high in the listings for specific search terms.

The Bitwarden phishing campaign involves malicious adverts. A threat actor has created web pages that closely resemble the official Bitwarden domain ( and is using Google Ads to promote their fake website. Those ads are appearing above the legitimate Bitwarden site in the search engine listings for certain search terms.

The malicious domains contain the name Bitwarden – for example – but that domain is not owned by Bitwarden. Clicking the link will direct the user to a webpage that is a virtual carbon copy of the official Bitwarden website. The user is prompted to supply their email address and password to log in to their cloud Bitwarden account, or to create a new account.

If a Bitwarden user enters their credentials, they will be captured and used to access the user’s password vault, providing the attacker with the passwords for the user’s entire digital footprint. Even if the individual does not have a Bitwarden account and attempts to sign up, the threat actor will have a username and password combination that could be used in a credential stuffing attack or a future attempt to access to user’s password manager vault. If a user attempts to sign up for a new account, the credentials are captured and the user is redirected to the official Bitwarden page, where they would be likely to try again to create an account, possibly using the same password.

This particular campaign targets Bitwarden users, but the same technique could be used to target users of other cloud-based password managers. Google has controls in place to prevent malicious adverts from being created on its platform and has since removed the malicious adverts, but this campaign shows that those controls are not always effective. These campaigns are also conducted on other ad networks, allowing malicious adverts to be displayed in other search engines and on high-traffic web pages.

This campaign clearly shows why businesses need to look beyond email filtering solutions to protect against phishing attacks. A secure email gateway or spam filter will block malicious messages sent via email but will do nothing to protect against web-based phishing attacks. The easiest way to prevent these types of phishing attack is to use a web filter. TitanHQ’s web filtering solution, WebTitan Cloud, is constantly fed threat intelligence of malicious URLs and domains, ensuring access to these domains is prevented. WebTitan also scans URLs in real-time and can be configured to restrict access to web content by the category of website or web page, or the presence of certain keywords on the page. Web filters also protect against malware by allowing controls to be set to prevent downloads of specific file types from the Internet and can identify malicious DNS traffic.

When a web filter is combined with a spam filter, multi-factor authentication, and security awareness training for employees, businesses will be well protected against all forms of phishing.