Flash Report: Phishing Ads Target Password Managers

3 minute read

Key Findings

  • Phishing ads aimed at stealing password vault credentials are the latest tactic used to target password managers.
  • Recent targeting of password managers has involved security breaches and credential stuffing attacks.
  • Threat actors’ level of sophistication with creating phishing pages continues to evolve.
  • The identified phishing pages targeting the password managers have since been removed; however, this does not abate the threat of this type of activity.

Analyst Commentary

In the wake of recent breaches targeting password managers, another headache has emerged—this time targeting Bitwarden and other password managers. Over the last several weeks, ZeroFox Intelligence has reported on password managers being exploited via a security breach[1] and a credential stuffing attack.[2] Password managers are once again being targeted utilizing another attack vector—Google Ads phishing campaigns. These campaigns are aimed at stealing users’ password vault credentials by creating phishing pages that look very similar to Bitwarden’s or other password managers’ login sites and then capturing the user’s credentials.[3] Adding to their perceived authenticity is that once credentials are entered, users are redirected back to the legitimate login pages.

Example of Bitwarden Phishing Site
Source: hXXps://www.reddit[.]com/r/Bitwarden/comments/10k2aj5/google_search_ads_showing_fake_bitwarden_web/

While some users claimed the phishing sites were relatively easy to spot, others indicated that they appeared to be legitimate and were challenging to identify.[4] The phishing pages in question have been removed since being identified. However, depending on how successful the threat actors were in capturing credentials, they are likely to employ similar tactics in the future given the potentially high return on investment if password vaults can be accessed.


  • Update current master and stored passwords utilized on any password management service; while this will not change any impacts of affected breached vaults, it is a best practice for getting ahead of potential future attacks.
  • Do not share passwords, and do not reuse the same password on different websites and applications.
  • Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential-stuffing attacks.
  • Remain vigilant against potential phishing attempts.
  • Exercise caution when submitting credentials on websites, ensuring that they are legitimate sites.
  • If not already enabled, engage with ZeroFox for ongoing compromised credential monitoring. Immediate password changes should be implemented for any affected account.
  • ZeroFox recommends remaining vigilant and denying multifactor authentication (MFA) requests not specifically triggered by logging in or requesting device enrollment. These requests are typically immediate and should not randomly appear throughout the day.
Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 3:00 PM (EST) on January 31, 2023; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

See ZeroFox in action