Malware Targets Online Banking

After noticing a browser extension communicating with a suspicious domain, researchers analysed the Google Chrome extension named Desbloquear Conteudo (unblock content) and found that it was a rare banker malware. The extension, identified as HEUR:Trojan-Banker.Script.Generic, has now been removed from Chrome Web Store. 

According to Kaspersky Lab security researcher Vyacheslav Bogdanov the man-in-the-middle (MitM) extension for Chrome was targeting users of Brazilian online banking services with the goal of collecting user logins and passwords in order to pilfer their savings.

MitM attacks redirect the victim’s web traffic to a spoof website. While the target is under the impression they are connected to a legitimate site, the flow of traffic to and from the real bank site is actually being redirected through an attacker's site so that the criminal can harvest the personal data they are after.

What's interesting about this particular extension is that the developers made no effort to obfuscate its source code. 
Instead, they opted for a MitM attack using "the WebSocket protocol for data communication, making it possible to exchange messages with the C&C [command-and-control] server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank."

This particular extension used the Proxy Auto Configuration technology, which enabled additional functions beyond the one written in JavaScript for most modern browsers. 

The FindProxyForUrl function was replaced with a new task that redirected traffic from the Brazilian bank to the malicious server. Attackers added malicious code to the webpage using cef.js script in order to intercept the user’s one-time password.
Because the malware was targeting Brazilian users, Bogdanov suggested that the browser extension had the additional function of adding crypto-currency mining scripts to the banking sites users visited.

“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. 

“We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Bogdanov said.

Infosecurity-Magazine

You Might Also Read:

Banks Around The World Hit With Fileless Malware:

Stealthy Malware Is Going Mainstream:

 

« Saudi Commission Signs Deal To Boost Cybersecurity Education
Munich Airport Receives Accreditation For Cybersecurity Training »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

Centre for International Governance Innovation (CIGI)

Centre for International Governance Innovation (CIGI)

CIGI research areas include Conflict Management & Security which encompass cyber security and cyber warfare.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

TÜV Informationstechnik (TÜViT)

TÜV Informationstechnik (TÜViT)

TÜViT is a leading service provider in the IT sector offering unbiased and independent tests and certifications of IT products, hardware, software, systems and processes.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

PRESENSE Technologies

PRESENSE Technologies

PRESENSE Technologies specializes in monitoring and enforcing IT security policies at critical points in the network and on end systems.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

NXTsoft

NXTsoft

NXTsoft’s solutions help businesses secure, connect and optimize their data to maximize revenue opportunities, enhance profitability, and mitigate cybersecurity risk.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Accedian

Accedian

Accedian is a leader in performance analytics and end user experience solutions, dedicated to providing our customers with the ability to assure their digital infrastructure.

EDGE Group

EDGE Group

EDGE is one of the world’s leading advanced technology groups, established to develop agile, bold and disruptive solutions for defence and beyond.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

Ampsight

Ampsight

Ampsight specializes in enabling cloud integration, securing data, and navigating complications that drive critical-mission success.

PDI Technologies

PDI Technologies

PDI Technologies helps convenience retail and petroleum wholesale businesses around the globe increase efficiency and profitability by securely connecting their data and operations.

3DOT Solutions

3DOT Solutions

3DOT Solutions is an established UK cybersecurity consultancy focused on delivering end-to-end cyber security solutions for private and public sector customers.

Thero6

Thero6

Thero6 develop dynamic financial analysis algorithms that help prevent coin collapses and theft of cryptocurrency funds by identifying the transaction absolutely throughout the chain.