50 thousand people have already lost their savings. Will you be able to protect your own?
Yesterday, cybersecurity researchers from IBM published a report on a campaign they identified to spread malware that uses web-based JavaScript injections to steal bank data from 40 banks in the Americas, Europe and Japan.
Experts revealed that the campaign was being prepared from December 2022, when malicious domains used in attacks were purchased. The campaign was identified only in March of this year. At the moment, more than 50,000 users have already been affected by hackers ' activities.
The attacks themselves are implemented through JS scripts downloaded from the attackers ' server, and are aimed at a specific page structure that is common in many banks. The ultimate goal of the attack is to intercept user credentials and their one-time passwords (OTP) to log in to the banking system and gain full access over the victim's account, including performing unauthorized transactions.
Without going into details, IBM says that the initial infection may occur through fraudulent advertising or phishing. The malware then inserts a special script tag into the victim's browser, which leads to an external script. This approach increases the stealth of the attack, since simple loader scripts are less likely to be marked as malicious.
The resulting malicious script is also disguised as legitimate JavaScript content delivery networks in the considered campaign, for example. To evade detection, hackers used domains similar to the legitimate "cdnjs[.]com" and "unpkg[.]com". Before executing, the script also checks for the presence of certain antivirus products on the victim's system. Everything to avoid detection.
It is noteworthy that the script is able to dynamically change its behavior depending on the instructions of the C2 server, supporting many operational states.
Researchers found a link between this campaign and DanaBot, a modular banking Trojan that has been distributed since 2018. According to IBM, the campaign discovered in March is still ongoing. IBM experts recommended that users of banking applications at risk should exercise increased vigilance when using email, search aggregators, and online banking directly.
Yesterday, cybersecurity researchers from IBM published a report on a campaign they identified to spread malware that uses web-based JavaScript injections to steal bank data from 40 banks in the Americas, Europe and Japan.
Experts revealed that the campaign was being prepared from December 2022, when malicious domains used in attacks were purchased. The campaign was identified only in March of this year. At the moment, more than 50,000 users have already been affected by hackers ' activities.
The attacks themselves are implemented through JS scripts downloaded from the attackers ' server, and are aimed at a specific page structure that is common in many banks. The ultimate goal of the attack is to intercept user credentials and their one-time passwords (OTP) to log in to the banking system and gain full access over the victim's account, including performing unauthorized transactions.
Without going into details, IBM says that the initial infection may occur through fraudulent advertising or phishing. The malware then inserts a special script tag into the victim's browser, which leads to an external script. This approach increases the stealth of the attack, since simple loader scripts are less likely to be marked as malicious.
The resulting malicious script is also disguised as legitimate JavaScript content delivery networks in the considered campaign, for example. To evade detection, hackers used domains similar to the legitimate "cdnjs[.]com" and "unpkg[.]com". Before executing, the script also checks for the presence of certain antivirus products on the victim's system. Everything to avoid detection.
It is noteworthy that the script is able to dynamically change its behavior depending on the instructions of the C2 server, supporting many operational states.
Researchers found a link between this campaign and DanaBot, a modular banking Trojan that has been distributed since 2018. According to IBM, the campaign discovered in March is still ongoing. IBM experts recommended that users of banking applications at risk should exercise increased vigilance when using email, search aggregators, and online banking directly.
