This malware can access your bank account if you make a typo

Credit card
(Image credit: Michal Jarmoluk from Pixabay)

A Russian-speaking cybercrime group was observed combining powerful infostealing malware with typosquatted domains to steal login data for banking sites. The campaign was spotted by cybersecurity experts Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the group known as The Disneyland Team, is targeting people infected with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can steal computer data, harvest user credentials and financial information, and deploy additional malware.

But Gozi alone won’t cut it anymore, as browser makers have introduced various security measures over the years to nullify it. But this is where typesquatting comes in - creating phishing websites with domain names that are common misspellings of legitimate sites.

Helping Gozi out

According to KrebsOnSecurity: “In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site." 

These could then "copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

So, to make use of Gozi, the attackers also added fake bank sites on typosquatted domains. Examples of such domains include ushank[.]com (targeting people that misspell, or ạmeriprisẹ[.]com (targeting people visiting 

You’ll notice small dots below the letters a and e, and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the trick. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin.

So when the victim visits these fake bank websites, they get overlaid with the malware, which forwards anything the victim types in to the actual bank’s website, while keeping a copy for itself. 

That way, when the real bank website returns with an multi-factor authentication (MFA) request, the fake website will request it too, effectively rendering the MFA useless.

Via: KrebsOnSecurity

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.