Tuesday, November 26, 2024
HomeComputer SecurityMalicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords...

Malicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords and Steal Money

Published on

Newly Discovered Malicious chrome extension performing Man-in-the-Middle Attack to harvest users log in and password to steal money from Victims Bank Accounts.

Recently an analysis of suspicious extensions from Chrome Web Store, an extension called Desbloquear Conteúdo(‘Unblock Content’ in Portuguese) has been discovered.

The malicious Extension specifically targets users of Brazilian online banking services and fraudulent attempt primarily discovered in Brazil.

- Advertisement - SIEM as a Service

This malicious chrome extension predominantly targeting online banking service and compromised users using various techniques.

During the Man-in-the-Middle attack, attacker re-directs a victim’s web traffic into a spoof page by modifying DNS settings.

In this case, The victim believes they are connected to their bank’s website and victims can’t realize anything suspicious, but the traffic is re-directed through the attacker’s site that allows the attacker to gather any personal data such as password, PIN, username while entered by the victim.

How Does This Malicious Chrome Extension Works

Malicious chrome extension using obfustication technique to evade the antivirus detection but its source code didn’t obfuscate.

It uses WebSocket protocol for data communication to make it more private and the C&C server will act as a proxy server.

During the Man-in-the-Middle attack, whenever victims visiting the Brazilian bank website, malicious extension redirects the traffic into attacker server.

Desbloquear Conteúdo Extension contains 2 Javascript fundo.js, pages.js to perform two difference operation to control the vicitms.

fundo.js initially start establishing the web socket connection using the function called function websocket_init().

Later it downloads the data from the server and stored it in chrome. storage later it contacting the Command & Control server to receive the IP address where the user traffic will be redirected.

According to Kaspersky, It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

Another pages.js downloads the some of the scripts from the domain ganalytics[.]ga and launches them on the banks’ sites.

A script called cef.js add specific HTML code to the main page of the online banking system and the connected server needed to collect the one-time passwords used for authentication on the bank’s site.

Once the user accessing the bank login page, , the script creates a clone of the ‘Enter’ button with a click this button Function which is overlaid and eventually victims will click the button.

Finally, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...