TotalSystemSecurity.com

Find the Best solution for PC threats

Tag: Malicious Chrome extension that can steal your money from bank accounts

A New Malicious Chrome Extension Detected to Launch MitM Attack to Steal Money from bank accounts

A New Malicious Chrome Extension Detected to Launch MitM Attack-It Harvest Users Login credentials of bank accounts

Malicious Chrome Extension Detected to Launch MitM Attack to Steal Money from bank accounts

Desbloquear Conteúdo is a newly detected malicious chrome extension that is performing MitM(Man-in-the-Middle) Attack on the targeted computer system. This is done to harvest the login ids and passwords of user’s bank account to steal money.

The malicious chrome extension discovered during the analysis of suspicious chrome extensions from the Chrome Web Store. The extension is named as Desbloquear Conteúdo in portuguese which means ‘Unblock Content’ in English. The malicious extension was primarily discovered in Brazil attempting to fraud users through breaking into their online banking services.

What is MitM Attack

In this attack technique, the attackers modifies the DNS settings through which the victims web traffic is redirected to spoof page. As a result, the victims may not have the idea that they have been redirected to a hacker’s website, as it appears similar to their banking page. When the user enter any information on the page like the user id, passwords, bank account details, card number, PIN and any other information are traced by the hackers. This is how all your private information could be transferred to hacker’s database, which they uses to steal all your hard-earned money.

How Does Desbloquear Conteúdo Malicious Chrome Extension Works

To evade the antivirus detection, the malicious chrome extension Desbloquear Conteúdo is using obfustication technique. Although, its source code is not obfuscate, so it uses “WebSocket” protocol and C&C server for establishing data communication and proxy server respectively. This helps it to make the connection secure and private.
Whenever, the victim of MitM Attack visits the its Brazilian bank website, then the malicious extension, redirects the traffic to the hacker’s server.

According to the analysis, Desbloquear Conteúdo Extension uses two javascript codes named as fundo.js and pages.js. These two codes performs different operations to control the actions of the victim on the targeted machine.
Fundo.js– This javascript code initiates the data connection by initializing the websocket_init() function.
pages.js-This javascript code is used to download scripts from the hacker’s domain ganalytics[.]ga and overlays on the banks’ sites.

After establishing the successful connection, Fundo.js downloads data from the server and store them within the chrome browser. It then contacts the C&C server to receive the instructions on which IP address should the user’s traffic be redirected. It fetches the IP address by calling the function FindProxyForURL.

Another script named as “cef.js” is used for adding HTML code to the home page of the online banking website and the hackers server is connected to the banking site which then needed the one-time passwords to authenticate the user and let them access the account.

While the user is logging in to their bank page, the script runs which calls clone of the “Enter” button which is overlaid to the original “Enter” button the bank’s website. Once the user provides the data and hits “Enter” button, then the data is sent to both the banking system and the hacker’s server. The collected authentication data can be used to steal money from your bank account without your knowledge.

Thus, users are advised not to download any suspicious or unnecessary extensions to the browser. Here is the list of some safe extension that will help you to browse safety

You also need to scan your computer, if you detect any suspicious behavior on it.

Click here to Scan Now.

Welcome To TotalSystemSecurity.com, we will provide users with latest news and information about computer threats like Adware, Spyware, Trojan, Browser Hijacker and Ransomeware. Here at TotalSystemSecurity.com, you will get all minute information about latest threats and manual removal instructions. We Hope our guides and articles help you troubleshoot your PC issues.

TotalSystemSecurity © 2015-2018