Tuesday, May 6, 2025
HomeCyber Security NewsHackers Stole Banking Details From Over 50,000 Users Via Web Injections

Hackers Stole Banking Details From Over 50,000 Users Via Web Injections

Published on

SIEM as a Service

Follow Us on Google News

Web injections involve injecting malicious code into websites to manipulate content or redirect users to fraudulent sites. 

Threat actors use this technique to steal sensitive information, such as:-

  • Login credentials
  • Financial data
  • Exploit vulnerabilities in web applications

Cybersecurity researchers at Security Intelligence recently identified that hackers hijacked the banking details of more than 50,000 users using web injection attacks.

- Advertisement - Google News

Banking trojans use web injections to threaten the cyber world, and IBM Security Trusteer finds a sneaky JavaScript campaign in March 2023.

While in this malicious campaign, the malware’s link to DanaBot remains unconfirmed; however, Since 2023, more than 50000 user sessions got hit in over 40 banks across the following countries:-

  • North America
  • South America
  • Europe
  • Japan

Hackers Hijacked Banking Details

This new threat campaign aims to hijack popular banking apps, and the malicious domains bought in Dec 2022 have been active since early 2023.

Meanwhile, the JS script targets specific page structures and injects content when certain conditions are met. 

Besides this, the credential theft is done via added event listeners on the login button. It also focuses on common bank layouts, as the threat actors aim to compromise and monetize user banking info.

Malware starts grabbing data as soon as the script is fetched. It often uses the computer’s name to add details like bot ID and config flags as query parameters. 

This suggests an OS-level infection by other malware components before browser injection.

Initial obfuscated GET request fetching the script
Initial obfuscated GET request fetching the script (Source – Security Intelligence)

The encoded script is disguised and returned as a single line with an added decoy string. Meanwhile, the malicious content is hidden in network traffic, resembling a legitimate CDN

Injection avoids running if “adrum” is in the page URL, and the function patching removes malware evidence to hide its presence.

Dynamic script communicates with the C2 server and adjusts actions based on the following two key elements:-

  • Received instructions
  • Logs updates

Resilient injection patiently waits, retries steps, and adapts based on server responses. Continuous server-device identification ensures execution continuity. 

The script, within an anonymous function, configures with default values and adjusts dynamically during runtime. Asynchronous actions, triggered by server responses, hide the script. 

While the operational states dictate actions like:-

  • Injecting prompts
  • Executing login attempts
Prompting a phone number for two-factor authentication
Prompting a phone number for two-factor authentication (Source – Security Intelligence)

Recommendations

Here below, we have mentioned all the recommendations offered by the security analysts:-

  • Practice vigilance
  • Report suspicious activity
  • Avoid unknown software
  • Follow password and email security best practices
  • Always stay vigilant
  • Implement robust security
  • Stay informed to counter emerging threats
Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...