As of September 17, 2024, recent research has uncovered a disturbing development in the ongoing credential-stealing campaign targeting Chrome users. Initially reported on September 15, this story now includes additional insights into the sophisticated tactics employed by cybercriminals.
New technique
The newly discovered malware, known as StealC, utilizes a cunning method to persuade users into disclosing their Google account passwords. The attack operates by locking the browser into a persistent kiosk mode.
What is kiosk mode?
Kiosk mode is offered by browser applications to run the application full screen without any browser user interface such as toolbars and menus. Kiosk mode typically operates in full-screen mode, preventing users from accessing other applications, windows, or system functions.
In this state, users are unable to exit the full-screen mode using the usual escape keys, such as F11 or ESC. This effectively traps the user within a single, full-screen window displaying a login prompt—usually for their Google account.
Details of the Attack
- Kiosk Mode Lockdown: The malware forces Chrome into a full-screen kiosk mode that is resistant to common exit methods. The design frustrates users and creates a sense of urgency or panic, prompting them to enter their credentials to regain control of their browser.
- Phishing Login Window:
In this mode, users face a login window that looks legitimate, often mimicking the original. This deception is intended to capture the user’s Google credentials as they attempt to resolve the issue.
Once the victim inputs their password in the phishing window, his/her credentials are stolen. This leads to unauthorized access to the user google account. With access to the Google account, attackers can conduct malicious activities, including; accessing sensitive information, conducting identity theft, or further compromising other accounts connected to Google services.
Recommended ways to mitigate the attack
Update Browser and Security Software: Ensure that Chrome and all security software are up-to-date with the latest patches and updates to protect against vulnerabilities.
Avoid Suspicious Links and Prompts: Be cautious of any unusual prompts or login windows that appear unexpectedly, especially those that force the browser into full-screen mode.
Change Passwords Immediately: If you suspect your credentials are compromised, change your Google account password right away and update passwords for any other affected accounts
Enable Two-Factor Authentication (2FA): Adding 2FA provides an additional layer of security, making it more difficult for attackers to gain unauthorized access.
Seek Professional Help: If you have been a victim of this attack, consider contacting cybersecurity professionals to assess and mitigate any potential damage.
Exiting the Kiosk Mode
Users who find themselves locked in kiosk mode, with neither the Esc nor F11 keys functioning, should remain calm and refrain from entering any sensitive information into forms.
Instead, try other hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’ Those may help bring the desktop to the foreground, cycle through open apps, and launch the Task Manager to End Task.