IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023.
Judging by the evidence to hand, it appears the Windows malware DanaBot, or something related or connected to it, infects victims' PCs - typically from spam emails and other means - and then waits for the user to visit their bank website.
At that point, the malware kicks in and injects JavaScript into the login page.
This injected code executes on the page in the browser, and intercepts the victim's credentials as they are entered, which can be passed to fraudsters to exploit to drain accounts.
The code has been spotted attacking customers of dozens of financial orgs in North America, South America, Europe, and Japan, IBM's Tal Langus reported this week.
The miscreants behind this caper bought the domain names used by the JavaScript code in December 2022, and started their web injection campaign shortly after.
We're told the credential stealing continues to this day.
The JS targets a webpage structure that multiple banks use for their sites, and it sounds as though it can harvest multi-factor authentication tokens, too, from marks.
The script is fairly smart: it communicates with a remote command-and-control server, and removes itself from the DOM tree - deletes itself from the login page, basically - once it's done its thing, which makes it tricky to detect and analyze.
These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash.
Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned Money-grubbing crooks abuse OAuth - and baffling absence of MFA - to do financial crimes Philippines, South Korea, Interpol cuff 3,500 suspected cyber scammers, seize $300M Millions of Xfinity customers' info, hashed passwords feared stolen in cyberattack.
The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours.
Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.
This includes using strong passwords, not downloading software from unknown sources, and reporting any odd behavior to the banks.
See the above-linked write-up for more technical info and some indicators of compromise, if you want to look out for this particular software nasty.
The telco also shared indicators of compromise if you want to seek and destroy that malware.
This Cyber News was published on go.theregister.com. Publication date: Thu, 21 Dec 2023 00:13:04 +0000