A new effort is targeting e-commerce sellers to spread Vidar; data-stealing malware. It allows threat actors to obtain credentials for more destructive assaults. Threat actors initiated the latest effort this week, issuing complaints to online store administrators via email and website contact forms.
These emails appear to be from a client of an online business claiming they had taken $550 from their account following an allegedly failed order.
After receiving one of these emails this week, a news website investigated the threat. They discovered that it was common with several submissions to VirusTotal over the last week.
Targeting e-commerce businesses
Online retailers are a tempting target for threat actors. Obtaining access to the backend of eCommerce platforms allows for a variety of attacks.
For example, once a threat actor obtains access to an online store’s admin backend, they can inject malicious JavaScript scripts to execute MageCart attacks. In these attacks, the code takes customers’ credit cards and personal information during the checkout process.
Backend access may also be used to steal a site’s customer information by creating backups of the store’s database. Moreover, it can be used to blackmail consumers by threatening to publicly expose or sell the data to other hackers.
These emails contain client complaints of transaction failed emails from businesses and payments taken from their account. It’s then followed by a refund request. Moreover, it contains a URL attachment as proof of missing payment.
This link is supposed to show a bank statement, which is shortened to conceal the actual connection. The email tone conveys urgency requesting that the merchant offer a refund and investigate the core source of the problem.
When targets click on the URL, they will be sent to google workspace parent company product Google Drive. This fake Drive either displays or prompts the user to download a bank statement.
If the site displays the bank statement, it displays a sample of Commerce Bank’s bank statement with fake information.
Another test, on the other hand, might display a bogus Google Drive page stating that a preview is unavailable and prompting the user to download the ‘Bank_statement.pdf’. However, doing so will result in the download of an executable named ‘bank_statement.scr’.
While VirusTotal’s antivirus providers simply identify it as a generic data stealer. However, The cyber security website identified it as the Vidar data-stealing malware.
Malware stealing browser cookies
Vidar is malware that steals browser cookies, browsing history, stored passwords, cryptocurrency wallets, and text files. It also steals 2FA databases and screenshots of the current Windows screen.
This data will subsequently be transferred to a remote site for collection by the attackers. Following the transmission of the data, the collection of files will be deleted from the infected system. Thus, leaving behind a directory full of empty folders.
When hackers get this data, they either it to other threat actors or use them to breach the victim’s accounts.
If you received similar emails and feel you were affected by this malware distribution campaign, check your system for malware. Furthermore, as a security measure uninstall any malware that is discovered.
To avoid future assaults, you should change the passwords on all your accounts. Most important those linked with your online shopping sites, bank accounts, and email addresses.
Also inspect your ecommerce site for inserted source code into HTML templates, new accounts with higher rights, or source code updates.
Looking for ecommerce website maintenance services? Visit now!
