sysbraykr.com news - Cybersecurity researchers at OALabs have identified a new attack method actively exploited by cybercriminals to steal user credentials through web browsers. The technique involves tricking victims into entering their login credentials on legitimate websites, which are then stored in the browser’s credential manager and can be easily stolen using malicious software.

The attack begins by infecting the victim’s device with the Amadey loader, which then downloads StealC malware and a tool dubbed “Credential Flusher.” This tool, written in the AutoIt scripting language, is the linchpin of the attack. It forces the victim’s web browser into kiosk mode – a full-screen display that restricts the user’s ability to close or navigate away from the page.

The cybercriminals then direct the browser to a legitimate website, often the Google login page. When the victim attempts to close the browser window, they are prompted to enter their credentials, believing it’s the only way to exit the full-screen mode. Unbeknownst to them, these credentials are being captured by the StealC malware lurking in the background.

While Google’s login page is a common target, the AutoIt script is capable of launching various browsers, including Microsoft Edge and Brave, in kiosk mode, making this a versatile tool for cybercriminals. The script persistently checks if the browser is open and, if the user tries to close it, automatically relaunches it until the credentials are entered.

OALabs researchers warn that this technique, first observed in late August, is rapidly gaining popularity among cybercriminals. The use of kiosk mode creates a false sense of urgency, pressuring victims into entering their credentials without a second thought.

source: https://securityonline.info/kiosk-mode-attack-new-cyber-threat-steals-browser-credentials/