This malware can access your bank account if you make a typo

Say goodbye to your money if you misspell a URL

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A Russian-speaking cybercrime group was observed combining powerful infostealing malware with typosquatted domains tosteallogin data for banking sites. The campaign was spotted by cybersecurity experts Hold Security, and reported on by KrebsOnSecurity.

According to the report, the group known as The Disneyland Team, is targeting people infected with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can steal computer data, harvest user credentials and financial information, and deploy additional malware.

But Gozi alone won’t cut it anymore, as browser makers have introduced various security measures over the years to nullify it. But this is where typesquatting comes in - creating phishing websites with domain names that are common misspellings of legitimate sites.

Helping Gozi out

According to KrebsOnSecurity: “In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site."

These could then “copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

So, to make use of Gozi, the attackers also added fake bank sites on typosquatted domains. Examples of such domains include ushank[.]com (targeting people that misspell usbank.com), or ạmeriprisẹ[.]com (targeting people visiting ameriprise.com).

You’ll notice small dots below the letters a and e, and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the trick. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This dangerous new malware now also packs ransomware to lock your Android phone>New Android malware targets over 300 different apps - with a focus on dating and social media>Protect your devices from malware with these tools

So when the victim visits these fake bank websites, they get overlaid with the malware, which forwards anything the victim types in to the actual bank’s website, while keeping a copy for itself.

That way, when the real bank website returns with anmulti-factor authentication (MFA)request, the fake website will request it too, effectively rendering the MFA useless.

Via:KrebsOnSecurity

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption