Using this, cybercriminals trick users into stealing access credentials for services like Google. This technique has been observed since August 2024 and has been used in conjunction with StealC malware, primarily by the Amadey malware.
The attack begins by infecting the victim's device with the Amadey malware, which acts as a vehicle for an even more dangerous malware known as StealC. This type of malware forces Google Chrome to enter a special mode called kiosk mode. It is a full-screen mode originally designed for public terminals, Like interactive kiosks or points of sale, users only need to interact with the browser without accessing other functions of the operating system.
In an attack, cybercriminals use kiosk mode to hide key browser components that allow the user to notice the hoax. For example, in this mode the browser's address bar and menus disappear, preventing the victim from viewing the fraudulent URL. Besides, Functions such as the ESC or F11 keys are disabled, preventing the user from exiting full screen or closing the window easily.
If the browser is in kiosk mode, attackers redirect the victim to a fake Google login page. This page mimics the design and look of a formal login page, prompting users to enter their username and password.
When the user enters their credentials on the page, they are captured by the StealC malware and sent to the attackers. Within seconds, cybercriminals can access the victim's Google account and from there they can perform all kinds of illegal activities, Such as additional information theft, access to other services linked to the account, or financial fraud
One of the main reasons this attack is so effective is its ability to trick users into thinking they are interacting with a legitimate page. Having the browser full screen and locked creates a sense of urgencyIt leads the user to enter their data without thinking much about the trustworthiness of the site.
In addition, many users regularly re-authenticate their Google accounts, so the request to enter credentials does not seem suspicious to them. This familiarity, along with the inability to close the window or exit kiosk mode, increases the likelihood that a victim will enter their username and password without hesitation.
Another factor that makes this attack dangerous is that once cybercriminals gain access to a Google account, they can use it to carry out various illegal activities. From accessing other services linked to a Google Account to stealing personal or financial information, the potential for exploitation is huge.
Considering the sophistication of this technique, it is important to take preventive measures to protect yourself. Here are some key recommendations:
- Keep your software up to date– Make sure both your operating system and your Google Chrome browser are always up to date. Updates usually include security patches that fix vulnerabilities.
- Use safety equipment: A good antivirus or antimalware program can help detect and remove potential threats before they compromise your computer.
- Be aware of unusual behavior: If your browser enters full screen mode without your request and you can't exit with ESC or F11 keys, you may be a victim of this attack. If so, try closing the browser by pressing Alt + F4 on Windows or Command + Q on Mac.
- Avoid clicking on suspicious links– Malware like Amadey usually infects devices when the user downloads files or accesses malicious links. Be wary of emails or messages containing links or attachments from unknown sources.
- Enable two-step verification (2FA).– Two-factor authentication adds extra security to your accounts, making it difficult for attackers to gain access even if they manage to steal your password.