Hackers use fake Google reCAPTCHA to hide banking malware
Hackers have targeted an unnamed Polish bank by placing a malicious file in Google reCAPTCHA to lure victims into downloading banking malware.
Don’t be a victim
According to website security platform Sucuri, this phishing campaign employed both the impersonation and panic/bait techniques within an email to entice the unwary to the download.
Just as a refresher, impersonation phishing campaigns pretend to be a popular brand or product through specially crafted emails, SMS, or social media networks. They may also contain a victim’s name, email address, account number, or some other personal detail.
The panic/bait technique is used to generate a fake situation to instil a sense of urgency or panic in the victim.
The Polish bank wasn’t named and Sucuri doesn’t say what the effects were – but it’s prudent to see its warning as a reminder to be cautious and take its handy advice.
Sucuri says bank users receiving this campaign would likely be alarmed by an email asking for confirmation of an unknown transaction.
It explains: “This makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself. In most cases, it’s just a replica of the login page for whatever institution they are targeting.”
Instead, the PHP file used in this campaign serves a fake 404 error page to its visitors that have specifically defined user-agents.
This type of malware can cause “serious headaches” for website owners. It doesn’t take very long for anti-virus and other security companies to receive reports of the malicious behaviour and send complaints to a web host, causing them to disable a website.
Disabling a website is a “very serious matter” for a web host. It is done to prevent a website’s continued use in malicious activity, which could lead to the blacklisting of their server IP addresses.
A shared hosting server can host many, many websites across shared IP addresses. Depending on its configuration, a blacklisting of a shared IP can cause problems for other customers whose websites do not contain malware but exist on the same shared server.
The malicious directories used in these campaigns are uploaded to a website after it has been compromised.
When dealing with this type of malware, Sucuri reminds people that it is important to delete the files contained in a complaint, however; it “strongly encourages” administrators to scan all other existing website files and database for malware as well.
It also recommends updating all passwords to prevent the attackers from accessing the environment again.
Security firms are often issuing warnings about malware.
Earlier this month, the first crypto clipper malware was found on Google Play.
While last month, Symantec revealed some serious cyberattacks on West African banks.
