Saturday, June 15, 2024

Malicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords and Steal Money

Newly Discovered Malicious chrome extension performing Man-in-the-Middle Attack to harvest users log in and password to steal money from Victims Bank Accounts.

Recently an analysis of suspicious extensions from Chrome Web Store, an extension called Desbloquear Conteúdo(‘Unblock Content’ in Portuguese) has been discovered.

The malicious Extension specifically targets users of Brazilian online banking services and fraudulent attempt primarily discovered in Brazil.

This malicious chrome extension predominantly targeting online banking service and compromised users using various techniques.

During the Man-in-the-Middle attack, attacker re-directs a victim’s web traffic into a spoof page by modifying DNS settings.

In this case, The victim believes they are connected to their bank’s website and victims can’t realize anything suspicious, but the traffic is re-directed through the attacker’s site that allows the attacker to gather any personal data such as password, PIN, username while entered by the victim.

How Does This Malicious Chrome Extension Works

Malicious chrome extension using obfustication technique to evade the antivirus detection but its source code didn’t obfuscate.

It uses WebSocket protocol for data communication to make it more private and the C&C server will act as a proxy server.

During the Man-in-the-Middle attack, whenever victims visiting the Brazilian bank website, malicious extension redirects the traffic into attacker server.

Desbloquear Conteúdo Extension contains 2 Javascript fundo.js, pages.js to perform two difference operation to control the vicitms.

fundo.js initially start establishing the web socket connection using the function called function websocket_init().

Later it downloads the data from the server and stored it in chrome. storage later it contacting the Command & Control server to receive the IP address where the user traffic will be redirected.

According to Kaspersky, It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

Another pages.js downloads the some of the scripts from the domain ganalytics[.]ga and launches them on the banks’ sites.

A script called cef.js add specific HTML code to the main page of the online banking system and the connected server needed to collect the one-time passwords used for authentication on the bank’s site.

Once the user accessing the bank login page, , the script creates a clone of the ‘Enter’ button with a click this button Function which is overlaid and eventually victims will click the button.

Finally, the password to the user’s account is sent to the online banking system as well as to the malicious server.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles