Something nasty injected login-stealing JavaScript into 50K online banking sessions

Something nasty injected login-stealing JavaScript into 50K online banking sessions

December 20, 2023 at 06:56PM

IBM Security discovered a JavaScript code injected into online banking pages, compromising 50,000 user sessions with 40+ banks globally. The DanaBot Windows malware infects PCs, waits for users to access bank sites, then steals login credentials. It targets financial organizations across continents. The malware communicates with a server and adapts to server instructions. IBM urges vigilance and using strong passwords.

From the meeting notes, the key takeaways are:

– IBM Security discovered JavaScript code injected into online banking pages, compromising more than 50,000 user sessions across 40 banks globally in 2023.
– The Windows malware DanaBot or related software infect victims’ PCs through spam emails, waits for them to visit their bank’s website, and then steals their login credentials by injecting JavaScript into the login page.
– The malicious code bought domain names in December 2022 and started the web injection campaign shortly after, with credential theft ongoing.
– The JavaScript code targets a webpage structure used by multiple banks and can harvest multi-factor authentication tokens.
– It communicates with a remote command-and-control server, performs actions based on a specific flag value, and is capable of executing man-in-the-browser attacks.
– IBM’s Tal Langus urges banking customers to practice vigilance and provided indicators of compromise in the write-up for those seeking more technical details.

Additionally, PS: AT&T Alien Labs addressed the information-stealing malware JaskaGO, which poses a severe threat to both Windows and macOS operating systems and utilizes various techniques to persist on infected computers and siphon data.

Feel free to let me know if you need anything else!

Full Article