Fake Google reCAPTCHA used to hide Android banking malware. The phishing campaign impersonates Google in attacks against banking institutions and their users.

Researchers have documented a recent phishing campaign targeting online banking users which masquerades as Google in its attempt to steal valuable credentials.

According to cybersecurity researchers from Sucuri, the attack wave against a Polish bank and its users is impersonating Google reCAPTCHA systems and panic-eliciting techniques to prompt victims to click on malicious links embedded in scam emails.

The emails in question contain a fake confirmation for a recent transaction, alongside a link to a malicious .PHP file.

Messages sent to would-be victims ask them to ‘verify‘ these non-existent transactions by clicking on the link.

This attack method is nothing new, but the next stage is somewhat more unusual. If a victim fails to realize the message is fake and clicks on the link, they are not sent to a standard, fake replica of the bank, but rather the PHP file serves a fake 404 error page.

The page has a number of specifically defined user-agents which are limited to Google crawlers. If the request is not Google crawler-related — in other words, alternative search engines are in use — then the PHP script instead loads a fake Google reCAPTCHA made up of JavaScript and static HTML.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” the researchers say. “It also doesn’t support audio replay, unlike the real version.”

The browser agent is then re-checked to ascertain how the victim has visited the page. A .zip dropper is on offer, alongside a malicious .APK reserved for Android users who fill in the CAPTCHA and download the payload.

Samples of the malware have been uploaded to VirusTotal. The malware is most often found in the wild in its Android form and is able to read a mobile device’s state, location, and contacts; scan and send SMS messages, make phone calls, record audio, and steal other sensitive information.

The Trojan is detected as Banker, BankBot, Evo-gen, Artemis, and more by antivirus software.

In January, researchers from Trend Micro uncovered an interesting campaign relating to the Anubis banking Trojan. The team found two apps in the Google Play store, a currency converter and power saver, which were laden with malware which would only trigger when a user moved their device.

By using motion sensor data as a catalyst for execution, the Trojan attempted to prevent discovery by researchers making use of sandbox environments.

Related Videos:

Related Links:

Methods of teaching programming

Thousands of Android apps have been creating a permanent record of everything you do

Chrome warns you if your username or passwords have been hacked

Designing an app in Pseudo code

ATM hacking has gotten so easy, the malware’s a game

Google investing $2.1m into kw programs supporting women in computer science, coding for youth

Introduction to JavaScript – CONSOLE

What is Kodi or XBMC?

The background-color CSS property

Introduction to JavaScript – Create a Variable: const

Reasons why website visitors stop reading before the end of your page

Privacy commissioner investigating security of patient health records at Alberta Health Services

Paginate Your WordPress Site Without Plugins

How to secure your Nest account and cameras and keep hackers at bay

Russian hackers are eight times faster than North Korean groups

Facebook’s chief AI scientist: Deep learning may need a new programming language

GitHub’s and more best FREE guides for Python developers

College graduates not learning a programming language that’s vital for top tech jobs.

Context in Outbound Links for High Ranking SEO

Google admits it forgot to tell users about its hidden spy microphone