A new JavaScript malware has been discovered, targeting over 40 global financial institutions and affecting around 50,000 users. The malware uses web injections to steal online banking credentials and is suspected to be delivered via phishing emails or malvertising. When a victim visits a bank website, the login page is altered with malicious JavaScript to harvest credentials and OTPs. The malware is dynamic, adjusting its behavior based on responses from its command-and-control server. It can erase traces of injections, insert fraudulent UI elements, and display an error message to deter victims from accessing their accounts for 12 hours. This provides the attackers a window to seize control of the accounts. The malware may be connected to the DanaBot family, known for being spread via malicious Google Search ads and acting as an initial access vector for ransomware.

The JavaScript malware threat is sophisticated, using dynamic communication and web injection methods to adapt based on server instructions and the current page state. Meanwhile, Sophos has uncovered a scam involving a fake liquidity mining service, which has netted nearly $2.9 million from 90 victims this year. The scam appears to be run by three separate groups using identical fraudulent DeFi app sites, suggesting a connection to a single Chinese organized crime ring. Europol data shows that investment fraud and BEC fraud are the most common online fraud schemes, often linked to romance scams. Group-IB has identified 1,539 phishing websites impersonating postal operators and delivery companies, suspected to be part of a single scam campaign. These scams use various evasion methods and affect postal brands in 53 countries, with most phishing pages targeting users in Germany, Poland, Spain, the U.K., Turkey, and Singapore.