A New Malicious Chrome Extension Detected to Launch MitM Attack-It Harvest Users Login credentials of bank accounts
Desbloquear Conteúdo is a newly detected malicious chrome extension that is performing MitM(Man-in-the-Middle) Attack on the targeted computer system. This is done to harvest the login ids and passwords of user’s bank account to steal money.
The malicious chrome extension discovered during the analysis of suspicious chrome extensions from the Chrome Web Store. The extension is named as Desbloquear Conteúdo in portuguese which means ‘Unblock Content’ in English. The malicious extension was primarily discovered in Brazil attempting to fraud users through breaking into their online banking services.
What is MitM Attack
In this attack technique, the attackers modifies the DNS settings through which the victims web traffic is redirected to spoof page. As a result, the victims may not have the idea that they have been redirected to a hacker’s website, as it appears similar to their banking page. When the user enter any information on the page like the user id, passwords, bank account details, card number, PIN and any other information are traced by the hackers. This is how all your private information could be transferred to hacker’s database, which they uses to steal all your hard-earned money.
How Does Desbloquear Conteúdo Malicious Chrome Extension Works
To evade the antivirus detection, the malicious chrome extension Desbloquear Conteúdo is using obfustication technique. Although, its source code is not obfuscate, so it uses “WebSocket” protocol and C&C server for establishing data communication and proxy server respectively. This helps it to make the connection secure and private.
Whenever, the victim of MitM Attack visits the its Brazilian bank website, then the malicious extension, redirects the traffic to the hacker’s server.
After establishing the successful connection, Fundo.js downloads data from the server and store them within the chrome browser. It then contacts the C&C server to receive the instructions on which IP address should the user’s traffic be redirected. It fetches the IP address by calling the function FindProxyForURL.
Another script named as “cef.js” is used for adding HTML code to the home page of the online banking website and the hackers server is connected to the banking site which then needed the one-time passwords to authenticate the user and let them access the account.
While the user is logging in to their bank page, the script runs which calls clone of the “Enter” button which is overlaid to the original “Enter” button the bank’s website. Once the user provides the data and hits “Enter” button, then the data is sent to both the banking system and the hacker’s server. The collected authentication data can be used to steal money from your bank account without your knowledge.
Thus, users are advised not to download any suspicious or unnecessary extensions to the browser. Here is the list of some safe extension that will help you to browse safety.
You also need to scan your computer, if you detect any suspicious behavior on it.