Using a password manager is a highly recommended measure to protect your registrations on the internet. That’s not to say, though, that you can relax. Criminals took advantage of a typo to direct users to a copy of Bitwarden’s website and then steal their data.
The attack was discovered by security researchers at Malwarebytes, who dubbed it ZenRAT. The action mimicked Bitwarden’s website and focused on Windows users. By entering the fake page and trying to download the desktop version of the password manager, the user was actually downloading malware to steal data.
According to the researchers, ZenRAT collects browser data and credentials, as well as details about the infected machine. Thus, they created a fingerprint of the compromised system and could access accounts as a legitimate user.
Typo led to fake website
The attackers did not need to redirect traffic from the user’s machine to take them to the fake Bitwarden page. Instead, they took advantage of an oversight: if the person got it wrong and typed “bitwariden,” with an incorrect “i” between the “r” and the “d,” it would fall on the imposter site.
This type of attack is not uncommon. It even has a specific term: “typosquatting”.
The strategy may be to take advantage of occasional user errors, either for a spelling issue (use “z” instead of “s”, for example) or proximity on the keyboard (a URL similar to other one).
Another scenario is to use the URLs in phishing campaigns, tricking the victim into clicking on a supposedly legitimate link, but with a slight difference in the letters.
In addition to typos, criminals use different domain endings (.com instead of .net, for example) or different ways of writing the same words (“fourteen” or “fourteen”), among other methods.
Scammers can use the similar address to create a website identical to the original, simulate surveys, or offer freebies, all aimed at stealing data.
It is also possible to lead to a page full of advertisements and pop-ups, as a way to make money from this accidental traffic.
To protect yourself, pay close attention to what you type and the links you click. Saving sites to favorites is another way to avoid this type of problem.
Throwing the site name into Google can help, but you also need to be careful. In January 2023, an information-stealing campaign bought ads on Google to direct users to a fake website. At that time, the target was also Bitwarden.
