A new malware campaign operating in the wild right now has so far captured sensitive banking data of more than 50,000 users in 40 banks around the world, experts have warned.
Cybersecurity researchers from IBM said the campaign deploys unusual tactics that make it stealthier than others, loading malicious scripts from their servers into the page structure that’s commonly found on many banks’ websites. That allows them to grab user login credentials and one-time passwords (OTP).
After obtaining the login information, the attackers proceed to siphon the funds and lock the legitimate users out of their accounts.
As IBM’s researchers explained, it all starts with a malware infection on the victim’s endpoint. After that, when the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website’s content. That allows the attackers to grab the passwords and intercept multi-factor authentication codes and one-time passwords.
The operators can also change the script’s behavior, by sending updates and instructions via a C2 server. It can inject prompts for phone numbers, OTP tokens, prompt error messages, or pretend to be “loading” pages.
While IBM wasn’t able to determine exactly who is behind this campaign, it says that it “loosely” resembles DanaBot, a modular banking trojan first spotted in 2018, and recently observed being distributed via malicious Google Search results.
IBM warns that the campaign is still active and advises caution when using online banking sites and apps.
More from TechRadar Pro
- These fake Android antivirus apps install a dangerous banking trojan
- Here's a list of the best firewalls today
- These are the best endpoint protection services right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.