Be careful with your passwords in Google Chrome, cybercriminals may be spying on you

Taking advantage of this, cybercriminals trick users and steal their access credentials to services, such as Google. This technique has been observed since August 2024 and was deployed alongside the StealC malware, primarily through the Amadey malware.

The attack begins by infecting the victim’s device with Amadey malware, which acts as a downloader for a more dangerous piece of malware, known as StealC. This type of malware forces Google Chrome into a special mode called kiosk mode. This is a full-screen mode originally designed for public terminals, Such as interactive kiosks or point of sale, where you want users to interact with the browser only without accessing other functions of the operating system.

In the attack, cybercriminals take advantage of kiosk mode to hide key browser elements that would allow the user to notice the scam. For example, in this mode, the browser’s address bar and menus disappear, preventing the victim from seeing the fraudulent URL. Additionally, Functions such as the ESC or F11 keys are disabled, preventing the user from easily exiting full screen or closing the window.

Once the browser is in kiosk mode, the attackers redirect the victim to a fake Google login page. This page exactly mimics the design and appearance of a legitimate login page, asking users to enter their username and password.

When a user enters their credentials on the page, they are captured by StealC malware and sent to the attackers. Within seconds, cybercriminals gain access to the victim’s Google account, from where they can perform all sorts of illicit activities. Such as stealing additional information, accessing other services associated with the account, or even committing financial fraud.

One of the main reasons this attack is so effective is its ability to trick the user into believing they are interacting with a legitimate page. The fact that the browser is in full screen mode and locked creates a sense of urgency.which can prompt the user to enter their data without thinking much about the validity of the site.

Additionally, many users are used to re-authenticating their Google accounts from time to time, so being asked to enter credentials won’t seem suspicious to them. This familiarity, combined with the inability to close the window or exit kiosk mode, increases the likelihood that a victim will enter their username and password without hesitation.

Another factor that makes this attack dangerous is that once cybercriminals gain access to your Google account, they can use it to carry out a variety of illegal activities. From accessing other services linked to your Google Account to stealing personal or financial information, the potential for exploitation is huge.

As this technology evolves, it is essential to take preventive measures to protect yourself. Here are some key recommendations:

• Keep your software up to date.– Make sure your operating system and Google Chrome browser are always up to date. Updates usually include security patches that fix vulnerabilities.
• Use security toolsHaving a good antivirus or antimalware program will help you detect and eliminate potential threats before they put your system at risk.
• Beware of unusual behavior.: If your browser goes into full screen mode without you asking and you can’t exit it using the ESC or F11 keys, you’re likely a victim of this attack. In this case, try closing the browser by pressing Alt + F4 on Windows or Command + Q on Mac.
• Avoid clicking on suspicious links.– Malware like Amadey usually infects devices when a user downloads files or accesses malicious links. Be wary of emails or messages that contain links or attachments from unknown sources.
• Enable 2FA– Two-factor authentication adds an extra layer of security to your accounts, making it harder for attackers to access them even if they manage to steal your password.