Android banking malware distributed with fake Google reCAPTCHA

Sucuri’s cybersecurity researchers have identified a highly sophisticated phishing campaign that is specifically targeting online banking users.

The attack, for now, has been directed against a Polish bank in which attackers are exploiting Google reCAPTCHA systems as well as panic-eliciting tactics to lure victims into clicking on infected, malicious links that are already embedded in scam emails.

See: New AI tool aims to make CAPTCHA a thing of the past

The objective behind this campaign is the same as it often is in similar other campaigns- to steal user credentials. Sucuri researchers identified that the campaign is utilizing not only panic/bait techniques but also impersonation both in an email so that the recipient ends up downloading the malware.

Malware’s VirusTotal scan results are available here.

According to Sucuri’s blog post, the emails contain an inauthentic confirmation of a transaction that apparently has been made recently and also has a link that redirects to a malicious PHP file. Naturally, bank customers will be alarmed as they would be requested to confirm an unknown transaction. Interestingly, the fake PHP file leads to a fake page bearing the 404 error message, which is delivered to specifically outlined user-agents.

The user-agents are restricted to Google-related crawlers, which hints at the fact that the attackers don’t intend to make use of other search engines. Normally, attackers use user-agent filtering technique to block multiple search engines, but that’s not the case this time around.

Moreover, the attack method employed by the attackers isn’t new but what makes the campaign more unusual is that when the victim clicks on the link, a 404 error message appears and if the request is not found to be related to Google crawler, the PHP script loads a combo of static HTML and JavaScript as Google reCAPTCHA.

Website owners and administrators should watch out for this malware as a compromised website can be reported to Google and end up being disabled by hosting firm which is a serious issue and might be blacklisted eventually.

See: New tool exposes websites that have suffered data breaches

Therefore, Sucuri researchers urge website admins to scan all the existing website files as well as databases for malware and delete the files that are contained in complaints. Furthermore, it is suggested that users update their passwords to prevent attackers from launching attacks.

Did you enjoy reading this article? Kindly like our page on Facebook and follow us on Twitter.

Related Posts