Online financial fraudsters are hiding their latest bank-account-stealing weapon inside what appears to be a legitimate Google Chrome installer.
The downloadable file, "ChromeSetup.exe," contains a sophisticated, multifaceted banking Trojan that, once running on a system, relays that computer's information to a remote IP address. Most of the compromised browsers connect to IP addresses in Brazil and Peru, researchers at Trend Micro explained. The fake Chrome installer appears to be hosted on popular domains including Facebook, Google and MSN.
The real danger occurs when the malware implants a file that triggers the victim's Web browser to redirect to a rigged banking site when the user attempts to visit his legitimate banking platform. The Trojan, identified as "TSPY_BANKER.EUIQ," hijacks the user's banking session and displays a dialogue box that reads, "Loading system security," giving the victim the belief that he's actually being protected when, in fact, the crooks are picking his virtual pockets.
Adding insult to injury, the Trojan uninstalls GbPlugin, a software plugin built to protect Brazilian online banking customers. Trend Micro said the malware, which was first spotted in October 2011, is currently being used in the wild and is morphing to evade detection and more effectively fleece its victims.
You can protect yourself and your online banking sessions by making sure any site that requires you to enter your financial information is secured with "HTTPS" encryption — look for "HTTPS" highlighted in green and a picture of a lock in your Web browser. If a website seems suspicious, or requests information you don't feel comfortable handing over, do not trust it.