A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan.
IBM’s security team discovered the threat and reports the campaign had been under preparation since at least December 2022, when the malicious domains were purchased. Though not specified, the initial infection is likely through malvertizing, phishing, etc.
The FBI discovered that the JS script targets a specific page structure common across multiple banks. When the page contains a certain keyword and a login button with a specific ID, new malicious content is injected to intercept user credentials and one-time passwords (OTPs).
“The retrieved script is intentionally obfuscated and returned as a single line of code, which includes both the encoded script string and a small decoding script.
“In the past, we observed malware that directly injected the code into the compromised web page. However, in this campaign, the malicious script is an external resource hosted on the attacker’s server. It is retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.”
The malicious script masquerades as legitimate JavaScript CDNs (cdnjs[.]com and unpkg[.]com) to avoid detection and includes checks for specific security tools before executing.
Emily Phelps, Director, Cyware has this comment:
Cyber threats are continuously evolving to bypass detection mechanisms. This evolution accentuates the critical importance of proactive threat intelligence and trusted intelligence sharing, especially in sectors like finance which are frequently targeted due to their access to valuable data. Relying on tactics that exploit human behavior – such as phishing and malvertising – along with the development of technologies that circumvent traditional safeguards, security teams need real-time, context-rich threat intelligence to outpace threat actors.
Ted Miracco, CEO, Approov Mobile Security follows with this:
“This attack highlights that the financial services sector is extremely vulnerable to fraud, especially when it is simply relying on user authentication and one time passwords (OTPs). Credential theft is the focus of attackers, and this JS attack demonstrates how vulnerable consumers are even with multi-factor authentication (MFA).
“Banks need additional security layers especially with mobile banking apps and can implement measures like app tampering detection, mobile app attestation, and runtime application self-protection (RASP) techniques to prevent attacks on APIs. These measures help prevent unauthorized modifications to the app that could introduce malicious code and may also prevent fraud from credentials that were stolen using web-based techniques like this.”
David Ratner, CEO, HYAS Infosec adds this comment:
“Criminals will continue to find new and innovative ways to steal data and money. However, the infrastructure needed to conduct and carry out their attacks must be procured and setup in advance. Focusing on the adversary infrastructure layer is one of the best ways to drive resiliency and protection when the attack vector and technique will constantly change.”
Hopefully the fact that this malware is now getting attention will mean that it will be less effective for whomever is behind this. But as always, there will be a new threat that will emerge that will threaten users out there. Thus it would make sense to be on guard for anything and everything that could possibly be a threat.