A Russian-speaking cybercrime group was observed combining powerful infostealing malware with typosquatted domains to steal (opens in new tab) login data for banking sites. The campaign was spotted by cybersecurity experts Hold Security, and reported on by KrebsOnSecurity.
According to the report, the group known as The Disneyland Team, is targeting people infected with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can steal computer data, harvest user credentials and financial information, and deploy additional malware.
But Gozi alone won’t cut it anymore, as browser makers have introduced various security measures over the years to nullify it. But this is where typesquatting comes in – creating phishing websites with domain names that are common misspellings of legitimate sites.
Helping Gozi out
According to KrebsOnSecurity: “In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site.”
These could then “copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”
So, to make use of Gozi, the attackers also added fake bank sites on typosquatted domains. Examples of such domains include ushank[.]com (targeting people that misspell usbank.com), or ạmeriprisẹ[.]com (targeting people visiting ameriprise.com).
You’ll notice small dots below the letters a and e, and if you thought them to be specks of dust on your screen, you wouldn’t be the first one to fall for the trick. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin.
So when the victim visits these fake bank websites, they get overlaid with the malware, which forwards anything the victim types in to the actual bank’s website, while keeping a copy for itself.
That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively rendering the MFA useless.
Via: KrebsOnSecurity (opens in new tab)