Russian-speaking cybercriminal group observed combining powerful information-stealing malware with typosquat domains to steal (opens in a new tab) login details for banking services. The campaign was spotted by cybersecurity experts Hold Security and reported on by KrebsOnSecurity.
According to the report, a group known as The Disneyland Team targets individuals infected with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can steal computer data, collect user credentials and financial information, and deploy additional malware.
But Gozi himself won’t do that anymore, because browser developers have put in various security measures over the years to make them invalid. But this is where typequatting comes in – creating phishing sites with domain names that are common misspellings on legitimate sites.
I’m helping Gozi
According to KrebsOnSecurity, “In the past, scammers like these have used custom ‘web injections’ to manipulate what Gozi victims see in their web browser when they visit their bank’s website.”
They can then “copy and/or capture any data that users enter into a web form, such as username and password. However, most web browser developers have spent years adding security to block such nefarious activities.”
So, to take advantage of Gozi, the attackers also hosted fake bank sites on typosquat domains. Examples of such domains are ushank[.]com (targeting people who misspell usbank.com) or ạmeriprisẹ[.]com (targeting visitors to ameriprise.com).
You’ll notice little dots under the letters aie, and if you thought they were specks of dust on the screen, you wouldn’t be the first to fall for it. However, these are not specifications, but rather Cyrillic letters that the browser renders as Latin.
So when the victim visits these fake bank websites, they get attacked by malware that transfers whatever the victim types into the actual bank website, keeping a copy for themselves.
This way, when the genuine bank site comes back with a multi-factor authentication (MFA) request, the fake site will ask for it as well, effectively rendering the MFA useless.
By: Krebs about security (opens in a new tab)