Beware of fake KeePass site: How attackers use Google Ads to lure users

In News, TechnologyPosted 0 Comment(s)
KeePass is a popular open-source password manager that allows users to store and manage their passwords securely. However, a recent discovery by Malwarebytes Labs researchers has revealed that attackers are using Google Ads to trick users into visiting a fake site for KeePass that can compromise their master password.

How the attack works

The attackers have managed to create a fake site for KeePass that looks very similar to the official one, using the Punycode character encoding system. Punycode allows them to register domains that visually appear very similar to legitimate ones, but use different characters from other alphabets. For example, the fake site uses the domain ķeepass [.]info, where the letter “k” has a tiny character beneath it that is not a standard letter k.

Beware of fake KeePass site: How attackers use Google Ads to lure users
Beware of fake KeePass site: How attackers use Google Ads to lure users

The attackers have also managed to get their fake site into Google Ads, which means that it can appear at the top of search results when users look for KeePass. The malicious ads look entirely genuine and feature the official KeePass logo and URL. When clicked, the ads redirect users via a cloaking service to the fake site, where they are prompted to download the software.

What is the risk?

The risk of this attack is that the fake site can extract the master password from the users who download and install the software. The master password is the primary key that unlocks the user’s password database, where all their other passwords are stored. If the attackers get hold of the master password, they can access all the user’s accounts and credentials.

The researchers have found that the fake site can retrieve the master password from various memory sources, such as process dumps, swap files, hibernation files, or even full-system RAM dumps. This can happen even if the user locks their workspace or closes KeePass. The only limitation is that the recovery excludes the first character of the password, but that may not be enough to prevent brute-force attacks.

The researcher who uncovered this vulnerability, known as vdohney, has demonstrated this exploit with a proof-of-concept tool called “KeePass Master Password Dumper”. This tool can recover the master password from KeePass’s memory, except for the first character.

How to protect yourself

The best way to protect yourself from this attack is to avoid clicking on any ads for KeePass and only download the software from the official site: keepass [.]info. You should also check the domain name carefully and look for any suspicious characters or typos.

You should also update your KeePass software to the latest version, which is 2.54 as of October 2023. This version fixes a vulnerability (CVE-2023-32784) that affects the custom-developed text box (SecureTextBoxEx) used by KeePass for password input. This vulnerability allows attackers to extract the master password from memory in clear text.

Another good practice is to use full disk encryption with a strong password and avoid leaving your machine unattended or exposed to physical access. This can prevent attackers from accessing your memory sources and dumping your passwords.

Rian

Rian Lord

Rian Lord is a seasoned SEO specialist and the founder of iAqaba, a prominent website offering trending news across various niches. With a passion for staying ahead of the digital landscape, Rian combines his expertise in search engine optimization with his flair for captivating storytelling. As an SEO specialist, Rian possesses a deep understanding of the intricacies involved in optimizing online content to increase visibility and drive organic traffic. His extensive knowledge and hands-on experience allow him to craft compelling news articles that resonate with readers while adhering to best SEO practices.

Leave a Reply

Your email address will not be published. Required fields are marked *