Hackers Coerce Chrome Users into Revealing Google Passwords

Recent research has highlighted a new and disturbing threat for Chrome users, where cybercriminals employ a particularly frustrating method to force individuals into revealing their Google account passwords. This threat utilizes StealC malware, which operates by locking the Chrome browser in kiosk mode. In this mode, the browser is confined to a full-screen display that disables crucial functions like the F11 and ESC keys, preventing users from escaping or navigating away. The only visible element is a Google account login window, which continuously prompts users to enter their credentials. The design of this attack is intended to overwhelm and frustrate users, pushing them to surrender their passwords as they struggle to exit the locked browser window.

The StealC malware does not directly steal credentials on its own. Instead, it relies on a technique known as credential flushing to trick users into entering their login details. Once the victim is forced into the kiosk mode, the credential flusher prompts them to log in to their Google account. The StealC malware then captures these entered credentials from the browser’s credential store. This approach represents a shift from more direct methods of credential theft, focusing on manipulating the user experience to induce error. The entire process involves several stages: the victim first becomes infected with the Amadey hacking tool, which is used to load both the StealC malware and the credential flusher. The credential flusher forces the browser into kiosk mode, and once the victim provides their login details, the StealC malware collects the information and sends it to the attackers.

Compounding the issue, researchers have also identified a new variant of the TrickMo banking Trojan that poses a significant risk to Chrome users. This updated variant disguises itself as the Google Chrome app for Android. After installation, the Trojan tricks users into updating Google Play through a deceptive prompt. This action installs another application named Google Services, which requests extensive permissions. By guiding users to enable accessibility services, the Trojan gains the ability to intercept SMS messages and capture two-factor authentication codes. Additionally, TrickMo employs HTML overlay attacks, creating fake login screens that mimic legitimate sites to trick users into entering their credentials. To evade detection, the Trojan uses a technique involving malformed Zip archive files, which complicates the malware analysis process by creating errors or incomplete extractions that hinder the identification of the malicious software.

To combat these threats, users can take several precautionary steps. For the StealC attack, if users find themselves trapped in kiosk mode, they can attempt various keyboard shortcuts such as Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt + Delete, and Alt + Tab. These shortcuts might allow them to access the Task Manager and terminate the Chrome process. Alternatively, they can use the Win Key + R combination to open a command prompt and execute the command taskkill /IM chrome.exe /F to forcibly close the browser. If these methods fail, users can perform a power button shutdown and restart their computer in Safe Mode by pressing F8. A full system scan with malware detection tools like Malwarebytes, which offers a free scanner, can help remove the malware and prevent further infections.

For the TrickMo Trojan, the best defense is to download Android applications exclusively from the official Google Play Store. By avoiding third-party sources, users can significantly reduce their risk of encountering malicious software. Keeping apps and devices up to date with the latest security patches and being cautious about granting permissions can further protect against these sophisticated cyber threats. Through vigilant practices and awareness of these evolving threats, users can better safeguard their accounts and personal information.