In a disconcerting revelation, a newly identified strain of JavaScript malware has set its sights on compromising online banking accounts, orchestrating a widespread campaign impacting over 40 financial institutions globally. This insidious activity, leveraging JavaScript web injections, has resulted in an estimated 50,000 infected user sessions across North America, South America, Europe, and Japan.
IBM Security Trusteer, a leading cybersecurity entity, detected this malicious campaign in March 2023. According to security researcher Tal Langus, the primary goal of the threat actors is to compromise popular banking applications. Once the JavaScript malware infiltrates an online banking security system, it aims to intercept users’ credentials, subsequently gaining unauthorized access to and potentially exploiting their banking information.
The attack mechanism involves scripts loaded from a threat actor-controlled server, specifically identified as “jscdnpack[.]com” These scripts target a common page structure utilized by various banks, suggesting a meticulous approach. The delivery of the malware to potential victims may occur through phishing emails or malvertising, posing multifaceted cybersecurity threats.
The malware employs obfuscated scripts to conceal its true purpose. When a victim visits a bank website, the login page undergoes alterations with malicious JavaScript. This script is adept at harvesting credentials and one-time passwords (OTPs) without raising suspicion. Importantly, the malware’s behavior is dynamic, continuously querying both the command-and-control (C2) server and the current page structure, adjusting its course based on acquired information.
The server’s response dictates the malware’s subsequent actions, allowing it to erase traces of injections and introduce deceptive user interface elements. These elements may include prompts to accept OTPs, aiding threat actors in bypassing security measures. Additionally, the banking malware may display error messages indicating temporary unavailability of online banking services for 12 hours, dissuading victims from logging in and providing a window for unauthorized account access.
Although the exact origins of the malware remain unknown, indicators of compromise (IoCs) suggest a potential connection to the DanaBot family, a known stealer and loader. DanaBot has been previously associated with malicious ads on Google Search and has served as an initial access vector for ransomware attacks. The sophistication of this threat lies in its advanced capabilities, particularly in executing man-in-the-browser attacks through dynamic communication and adaptable web injection methods.
This malicious code attacks campaign unfolds against a backdrop of escalating financial frauds. Sophos recently exposed a scheme involving a fake liquidity mining service, netting threat actors nearly $2.9 million in cryptocurrency from 90 victims. The scheme, orchestrated by three separate threat activity groups, points to a broader network potentially affiliated with a single organized crime ring, possibly based in China.
According to Europol’s Internet Organized Crime Threat Assessment (IOCTA), investment fraud and business email compromise (BEC) fraud persist as the most prolific online fraud schemes. The agency highlights the concerning trend of combining investment fraud with other scams, such as romance scams, where criminals build trust with victims before convincing them to invest in fraudulent cryptocurrency platforms. Therefore, implementing strong cybersecurity measures for online transactions is crucial to safeguard sensitive information and protect against potential cyber threats.
Beyond financial institutions, cyber threats continue to diversify. Group-IB, a cybersecurity company, reports the identification of 1,539 phishing websites impersonating postal operators and delivery companies since November 2023. This extensive campaign spans 53 countries, with Germany, Poland, Spain, the U.K., Turkey, and Singapore being the primary targets.
These cybercrime trends involve sending SMS messages mimicking reputable postal services, prompting users to visit counterfeit websites and divulge personal and payment details under the guise of urgent or failed deliveries. Notably, the operation employs various evasion methods, restricting access based on geographic locations and specific devices and operating systems. The scammers also minimize the lifespan of the phishing websites, enhancing their chances of remaining undetected.
As the landscape of internet security risks evolves, placing emphasis on the implementation of proactive cybersecurity measures is paramount for organizations worldwide. In the face of sophisticated JavaScript malware campaigns and diversified cyber threats, malware prevention strategies and automated patching act as crucial components of safeguarding systems and ensuring business continuity.
Stay compliant and minimize downtime now!
The sources for this piece include articles in The Hacker News and Bleeping Computer.
The post JavaScript Malware: 50,000+ Bank Users at Risk Worldwide appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/javascript-malware-50000-bank-users-at-risk-worldwide/