Emotet malware now steals credit cards from Google Chrome users

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,119
The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles.

After stealing the credit card info (i.e., name, expiration month and year, card numbers), the malware will send it to command-and-control (C2) servers different than the ones the Emotet card stealer module.

"On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet," the Proofpoint Threat Insights team revealed.

"To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader."

This behavior change comes after increasing activity during April and a switch to 64-bit modules, as the Cryptolaemus security research group spotted.

One week later, Emotet started using Windows shortcut files (.LNK) to execute PowerShell commands to infect victims' devices, moving away from Microsoft Office macros now disabled by default starting with early April 2022.
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,119
I've read on here before that malware can steal information form the user profiles of various browsers like Chrome, Firefox and Edge.
The best defense against that is using a password manager and not your browser to store passwords and if needed creditcard info.
And when stolen 2FA makes it impossible to use that info.
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,119
I have a Discover card saved on Amazon and also on Instacart. It is on the store web sites though, is that the same as being stored in the browser? This is scary stuff indeed.

C.H.
No, that's not saved in the browser.

Here is for example on Edge where it can be saved:

1654715972630.png
 

Captain Holly

Level 3
Verified
Well-known
Jan 23, 2021
117
Thanks for the info. I don't store any card or bank account info on any browser. I do have a few stored ID's and passwords for some non-financial sites like here on MT and some music sites, Pandora etc. But I do not save any financial account numbers, passwords or ID's when the browser prompts me for that. Instacart and Amazon are the only sites where I saved my Discover card as the preferred payment method. Discover emails me about any transaction over $1.00.

C.H.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,974
I have a Discover card saved on Amazon and also on Instacart. It is on the store web sites though, is that the same as being stored in the browser? This is scary stuff indeed.

C.H.
No it's not the same, but if Amazon or Instacarts site got hacked, you and everyone else that stored their cards there is at risk. That type of hacking/leaks of credentials is sadly too common and left many people in the dust over the years.



But, there does exist good tips and tricks and the use of multilayered protection not only on your local machine/system. One example is checking one's local banks protection against account attacks with sudden fast or too much amount transfer, or ability to block outside one's country is highly recommended. Bigger banks normally already been security audited so check for any possible review reports on that. Those can be a bit hard to find.
 

Captain Holly

Level 3
Verified
Well-known
Jan 23, 2021
117
No it's not the same, but if Amazon or Instacarts site got hacked, you and everyone else that stored their cards there is at risk. That type of hacking/leaks of credentials is sadly too common and left many people in the dust over the years.



But, there does exist good tips and tricks and the use of multilayered protection not only on your local machine/system. One example is checking one's local banks protection against account attacks with sudden fast or too much amount transfer, or ability to block outside one's country is highly recommended. Bigger banks normally already been security audited so check for any possible review reports on that. Those can be a bit hard to find.
I will remove my card off both sites asap. I think it is on the Walmart site as well. My wife and I have been using delivery service instead of going to the store in person because of COVID but I did not know it was this risky to store a card on the site.

Thanks again,

C.H.
 

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
708
Any card stored at any site is a risk as virtually every site will get hacked eventually. When I purchase something online I delete my payment details after the order is finalized, that way no site has my cc information on file. ( In theory.:p)