Malware Targets Online Banking

Uploaded on 2018-06-21 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Financial

After noticing a browser extension communicating with a suspicious domain, researchers analysed the Google Chrome extension named Desbloquear Conteudo (unblock content) and found that it was a rare banker malware. The extension, identified as HEUR:Trojan-Banker.Script.Generic, has now been removed from Chrome Web Store. 

According to Kaspersky Lab security researcher Vyacheslav Bogdanov the man-in-the-middle (MitM) extension for Chrome was targeting users of Brazilian online banking services with the goal of collecting user logins and passwords in order to pilfer their savings.

MitM attacks redirect the victim’s web traffic to a spoof website. While the target is under the impression they are connected to a legitimate site, the flow of traffic to and from the real bank site is actually being redirected through an attacker's site so that the criminal can harvest the personal data they are after.

What's interesting about this particular extension is that the developers made no effort to obfuscate its source code. 
Instead, they opted for a MitM attack using "the WebSocket protocol for data communication, making it possible to exchange messages with the C&C [command-and-control] server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank."

This particular extension used the Proxy Auto Configuration technology, which enabled additional functions beyond the one written in JavaScript for most modern browsers. 

The FindProxyForUrl function was replaced with a new task that redirected traffic from the Brazilian bank to the malicious server. Attackers added malicious code to the webpage using cef.js script in order to intercept the user’s one-time password.
Because the malware was targeting Brazilian users, Bogdanov suggested that the browser extension had the additional function of adding crypto-currency mining scripts to the banking sites users visited.

“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. 

“We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Bogdanov said.

Infosecurity-Magazine

You Might Also Read:

Banks Around The World Hit With Fileless Malware:

Stealthy Malware Is Going Mainstream:

 

« Saudi Commission Signs Deal To Boost Cybersecurity Education
Munich Airport Receives Accreditation For Cybersecurity Training »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CERT-FR

CERT-FR

CERT-FR is the French national government computer security incident response team.

OIC-CERT

OIC-CERT

OIC-CERT is the Computer Emergency Response Team for Organisation of Islamic Cooperation (OIC) member countries.

ABB

ABB

ABB is a pioneering technology leader in industrial digitalization. Services include cyber security for industrial control systems IoT.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

AVL Mobile Security

AVL Mobile Security

AVL Mobile Security is a market-leading mobile security company for anti-virus and threat intelligence in the mobile Internet.

Secure Soft

Secure Soft

Secure Soft are experts in Computer and Information Security with a presence in Peru, Colombia and Ecuador.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

Larsen & Toubro Infotech (LTI)

Larsen & Toubro Infotech (LTI)

LTI is a global technology consulting and digital solutions company with operations in 33 countries.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Opus Security

Opus Security

Opus dramatically reduces cloud security risks by enabling teams to define, orchestrate, automate and measure remediation processes across the entire distributed organization.

CCX Technologies

CCX Technologies

CCX Technologies design and develop a wide range of cybersecurity and testing solutions for the aviation, and military and government markets.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.

SUCCESS Computer Consulting

SUCCESS Computer Consulting

SUCCESS Computer Consulting is a leader in managed IT and security services for small and medium-sized businesses in Minneapolis, St. Paul, and the surrounding Twin Cities Metro area.