Cybersecurity researchers have recently spotted a new piece of malware that steals people’s Google login credentials by boring them into submission.
It is an unusual tactic, with no clear statistics about its effectiveness. In any case, the malware does not have a specific name, but is part of the Amadey malware loader. It was discovered by cybersecurity researchers from OALABS, who claim the campaign has been active since late August this year.
Besides the unnamed malware (coming in the form of a AutoIt script), the loader also deploys the StealC infostealer, which is used later in the attack.
Multiple workarounds
When the malware infects a device, it brings up its browser in kiosk mode – a feature that allows the browser to run in full-screen mode without any user interface elements like address bars, toolbars, or menus. It’s typically used in public or restricted environments (think – kiosks), where users need access to a limited set of functionalities, such as accessing a specific website or web application without the ability to navigate elsewhere.
It then forces the browser to visit a page where users go to reset their Google password. That page first requires the user to enter their old password which, during the process, is grabbed by the StealC infostealer and relayed to the attackers.
Besides opening the browser in kiosk mode and preventing victims from accessing the navigation bar, the malware also disables the Escape and F11 keys. That way, computer users who aren’t that tech-savvy will think the only way to move past the Google screen is to type in their login credentials.
That is obviously not the case, and the browser can easily be circumvented with ALT+TAB, CTRL+ALT+DEL, ALT+F4, and many other keyboard shortcuts. Alternatively, holding down the power button (or unplugging the device, in case it’s a PC) will reset it. All of these alternatives are better than giving away your login credentials to crooks.
Via BleepingComputer