Novel phishing attack uses "no-escape" kiosk mode in Chrome to extract passwords

The quick fix is Control-Alt-Delete

18 Sep 2024, 20:13 by Cal Jeffrey · TechSpot

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

In a nutshell: Security researchers discovered a new phishing method, which uses kiosk mode in browsers to steal credentials. The technique traps users on a full-screen login page (Google login is most common) with no option but to enter their details. They then use a credential stealer to grab the information.

Cybersecurity experts at OALabs have uncovered a new attack vector for stealing credentials. The unique method involves launching the user's browser in kiosk mode to a login page (usually Google). Kiosk mode is useful for isolating a system to run specific apps. An ATM is a familiar example.

Since kiosk mode runs an app in fullscreen, there is no apparent way to exit the program other than hitting F11 to exit full-screen. Unfortunately, the malware disables function keys. With no way out of the browser, the only option available to users is to enter their username and password, which is immediately stolen by malware. A credential stealer called "StealC" is the most common.

StealC allows attackers to extract data from the browser's credential store. OALabs first spotted this attack method on August 22, 2024, and dubbed it "Credential Flusher." The Loader Insight Agency notes that this method is frequently deployed by the Amadey botnet when distributing StealC.

Once the hackers have the credentials, they usually change the targets' Google password, which locks them out of all of Google's services like Gmail and Google Docs. Victims will also lose access to any third-party website they set up using the Sign in with Google feature.

The researchers stress that Credential Flusher is not a credential stealer by itself.

It is simply used to pressure the victim into entering their credentials, so it must be used in conjunction with a stealer.
   •  First, the victim is infected with Amadey [payload deployment malware].
   •  Amadey is then used to load StealC.
   •  Amadey then loads the Credential Flusher.
   •  The Credential Flusher then launches the browser in kiosk mode to force the victim into entering their credentials, which can then be stolen by StealC.

The white hats also say they have only seen this technique used with Chrome. However, other browsers have features similar to kiosk mode, so it is possible to tweak the attack to use something other than Google's browser.

Fortunately, Credential Flusher has some flaws that make it less of a threat. First, being thrown into kiosk mode when opening Chrome should raise all kinds of red flags with all but the very naive or inexperienced. It's just not normal behavior. Second, while the malware can disable function keys, few things can resist the good ol' ctrl+alt+delete. Using this Windows relic, users can restart their PC or use Task Manager to shut down Chrome.

However, the most effective mitigation is just not to download sketchy apps. Most but not all malware installations require action from the user. Don't touch it if you don't know what it is or where it originated. It seems obvious, but still, many people fall for malware disguised as a handy app.

_{Image credit: Richard Patterson}