Posted on February 24, 2019 at 9:01 AM
An inventive phishing scam strategy raises concerns in the cyber security field. The malware spread by email recreated false Google reCAPTCHA on the landing page. The customers of one Polish bank recently became malware victims deceived by an imitation of reCAPTCHA. The expansion of similar bank malware attacks are expected – especially through Android apps due to publicly exposed source code. Website owners should be careful and react fast if infected to avoid disabling the website by the web host.
What is banking malware?
The professionals in the field of cyber security are familiar with this kind of banking malware since 2016. Antivirus programs marked it as „BankBot“, „Banker“ or „Artemis“. It’s a Trojan intended for attacking Android devices, with the purpose of stealing financial information. It can be disguised as a banking application, or run through your SMS searching for banking data. It can also send you push notifications you don’t want.
According to Luke Leal, a security analyst at Sucuri, standard phishing frauds usually have two elements – the PHP mailer and the files needed for the construction of the phishing page. A standard phishing landing page looks like a real login page.
The new BankBot was quite different
BankBot that was used to attack Polish bank’s customers had access to devices contacts, calls, text messages and location. It was spread by an email that used both standard phishing scam methods at once: impersonation and panic/bait. The customers received an email which pretended to be sent by their bank. It had two elements: an inquiry (panic/bait) and a link to a PHP file.
In the email the customer was required to confirm some recent transaction. The customer then activated the link and got a „404 error“ page which was a fraud. PHP code then recreated a forged Google reCAPTCHA to make everything look more convincible. The customers are tricked into believing the page is legit while BankBot malware is downloaded to their device. It comes as .apk for Android users and .zip for others.
Although the bogus reCAPTCHA looks very convincing, there are still some ways to recognize if it’s a fraud. Leal said that the images would not change as they usually do because the PHP code a victim gets in the phishing email stayed the same. Also, reCAPTCHA imitation can’t play audio file related to the visual reCAPTCHA letters.
How to protect your website?
In 2017, ESET researchers discovered applications infected by a BankBot on Google Play Store. They also found a source code of the base of those applications exposed on hidden forums and available for public use. This was identified in December 2016. Ever since there has been an expansion of BankBot mobile applications intended to steal user’s bank information and financial data. More and more applications have been made, using more complex and more advanced methods. Besides Google reCAPTCHA, hackers are also using Google Translate or custom fonts so their scam looked more believable.
According to Leal, this malware can bring lots of problems if you own a website. If your website gets infected, it will start spreading malware and will be reported to web security companies. This can result in taking down your website by the web host.
If you get infected and receive a complaint, you should both delete already compromised files and clean all other files and databases of potential malicious content. That is important because these kinds of malware get uploaded to a website after it’s already jeopardized. Leal also advised to change all your passwords just in case the hackers make another attempt to manipulate your website.