This malware can access your bank account if you make a typo
>
A Russian-speaking cybercrime was observed combining powerful information-stealing malware with typosquatted domains to steal (opens in new tab) login details for banking sites. The campaign was spotted by cybersecurity experts Hold Security and reported by KrebsOnSecurity.
According to the report, the group known as The Disneyland Team is targeting people infected with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can steal computer data, collect user credentials and financial information, and deploy additional malware.
But Gozi alone won’t cut it anymore, as browser makers have introduced various security measures over the years to nullify it. But this is where typequatting comes in: creating phishing websites with domain names that are common misspellings of legitimate sites.
Gozi help
According to KrebsOnSecurity, “In recent years, these types of crooks have used custom ‘web injections’ to manipulate what Gozi victims see in their web browsers when they visit their bank’s site.”
These could then “copy and/or intercept any data that users would enter into a web-based form, such as a username and password. However, most web browser makers have spent years adding security measures to block such nefarious activity.”
So to use Gozi, the attackers also added fake banking sites to typosquatted domains. Examples of such domains are ushank[.]com (targeting people who misspell usbank.com), or ạmeriprisẹ[.]com (aimed at people visiting ameriprise.com).
You’ll see little dots under the letters a and e, and if you thought they were dust particles on your screen, you wouldn’t be the first to fall for the trick. However, these are not specifications, but rather Cyrillic letters that the browser displays as Latin.
So when the victim visits these bogus banking websites, they get covered in the malware, which redirects everything the victim types to the actual bank’s website, while keeping a copy for itself.
That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will ask for it as well, effectively rendering the MFA useless.
Through: KrebsOnSecurity (opens in new tab)