Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
Hackers dictate their terms, and victims cannot "quit the game."
Cybersecurity researchers have documented a new attack method that is actively used by attackers to steal user credentials through browsers. The method is that the victim is forced to enter their credentials on legitimate sites, after which they end up in the browser's credential vault and can be easily stolen with the help of malware.
This technique was first noticed at the end of last August and is already being actively used using the StealC malware, which is often distributed using the Amadey loader.
The peculiarity of this approach is the use of a script written in AutoIt, which runs the victim's browser in kiosk mode. In this mode, the browser expands to full screen and blocks the user's ability to close or change the page. As a result, the user enters their credentials in an effort to close the window, which can then be easily stolen using malware.
The method is actively used in combination with the Amadey loader. First, the victim is infected with this loader, which then downloads StealC, and with it "Credential Flusher" – a tool that opens the browser in kiosk mode. It is important to note that "Credential Flusher" does not steal data per se, but only serves as a way to force the victim to enter their credentials.
The AutoIt script itself is designed to detect which browsers are installed on the victim's device and run them in kiosk mode on the desired page. Usually, the goal is the Google login page, where the user enters their data without suspecting that it will be stolen.
Attackers can also use this script for other browsers, such as Microsoft Edge or Brave, making it a versatile tool for similar attacks. The script constantly checks to see if the browser is open, and if the user tries to close it, it automatically runs again until the credentials are entered.
Experts warn that this method could become popular among attackers, as kiosk mode severely restricts the victim's actions, creating a false sense of urgency and forcing them to enter their data.
Source
Cybersecurity researchers have documented a new attack method that is actively used by attackers to steal user credentials through browsers. The method is that the victim is forced to enter their credentials on legitimate sites, after which they end up in the browser's credential vault and can be easily stolen with the help of malware.
This technique was first noticed at the end of last August and is already being actively used using the StealC malware, which is often distributed using the Amadey loader.
The peculiarity of this approach is the use of a script written in AutoIt, which runs the victim's browser in kiosk mode. In this mode, the browser expands to full screen and blocks the user's ability to close or change the page. As a result, the user enters their credentials in an effort to close the window, which can then be easily stolen using malware.
The method is actively used in combination with the Amadey loader. First, the victim is infected with this loader, which then downloads StealC, and with it "Credential Flusher" – a tool that opens the browser in kiosk mode. It is important to note that "Credential Flusher" does not steal data per se, but only serves as a way to force the victim to enter their credentials.
The AutoIt script itself is designed to detect which browsers are installed on the victim's device and run them in kiosk mode on the desired page. Usually, the goal is the Google login page, where the user enters their data without suspecting that it will be stolen.
Attackers can also use this script for other browsers, such as Microsoft Edge or Brave, making it a versatile tool for similar attacks. The script constantly checks to see if the browser is open, and if the user tries to close it, it automatically runs again until the credentials are entered.
Experts warn that this method could become popular among attackers, as kiosk mode severely restricts the victim's actions, creating a false sense of urgency and forcing them to enter their data.
Source
