Thursday, October 3, 2024
HomeComputer SecurityMalicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords...

Malicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords and Steal Money

Published on

Newly Discovered Malicious chrome extension performing Man-in-the-Middle Attack to harvest users log in and password to steal money from Victims Bank Accounts.

Recently an analysis of suspicious extensions from Chrome Web Store, an extension called Desbloquear Conteúdo(‘Unblock Content’ in Portuguese) has been discovered.

The malicious Extension specifically targets users of Brazilian online banking services and fraudulent attempt primarily discovered in Brazil.

- Advertisement - EHA

This malicious chrome extension predominantly targeting online banking service and compromised users using various techniques.

During the Man-in-the-Middle attack, attacker re-directs a victim’s web traffic into a spoof page by modifying DNS settings.

In this case, The victim believes they are connected to their bank’s website and victims can’t realize anything suspicious, but the traffic is re-directed through the attacker’s site that allows the attacker to gather any personal data such as password, PIN, username while entered by the victim.

How Does This Malicious Chrome Extension Works

Malicious chrome extension using obfustication technique to evade the antivirus detection but its source code didn’t obfuscate.

It uses WebSocket protocol for data communication to make it more private and the C&C server will act as a proxy server.

During the Man-in-the-Middle attack, whenever victims visiting the Brazilian bank website, malicious extension redirects the traffic into attacker server.

Desbloquear Conteúdo Extension contains 2 Javascript fundo.js, pages.js to perform two difference operation to control the vicitms.

fundo.js initially start establishing the web socket connection using the function called function websocket_init().

Later it downloads the data from the server and stored it in chrome. storage later it contacting the Command & Control server to receive the IP address where the user traffic will be redirected.

According to Kaspersky, It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

Another pages.js downloads the some of the scripts from the domain ganalytics[.]ga and launches them on the banks’ sites.

A script called cef.js add specific HTML code to the main page of the online banking system and the connected server needed to collect the one-time passwords used for authentication on the bank’s site.

Once the user accessing the bank login page, , the script creates a clone of the ‘Enter’ button with a click this button Function which is overlaid and eventually victims will click the button.

Finally, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...