New Web Injections Campaign Steals Banking Data From 50,000 People

Cyber Threat Summary:
A recent malware campaign has targeted over 50,000 users across 40 banks in various regions, using Javascript injections to steal banking data. The attack, discovered by IBM’s security team, commenced its preparation in December 2022 and executed its malicious operation in March 2023. The attack unfolds a multi-staged process, that begins with infecting the victim’s device. Once a user visits compromised or malicious websites, the malware injects obfuscated script, stealthily modifying webpage content to capture login credentials and one-time passwords. This new method of attack involving externally hosted scripts, aims for evasiveness and sophistication.

Security Officer Comments:
Moreover, the script’s operational states are governed by a variable called “mlink” which orchestrates various commands aimed at precise data exfiltration. The malicious script operates dynamically, adapting its behavior based on instructions from a control server, making detection challenging. The attacker’s strategy involves multiple commands and states to steal data effectively. The campaign shares some resemblance to Danabot, a previously known banking trojan. As this attack is ongoing, users are urged to be extra cautious while using online banking services.

Suggested Correction(s):
Users should practice vigilance when using banking apps. This includes contacting their bank to report potentially suspicious activity on their accounts, not downloading software from unknown sources and following best practices for password hygiene and email security hygiene. Individuals and organizations must also remain vigilant, implement robust security measures and stay informed about emerging malware to effectively counteract these threats.