Bank info-stealing malware has compromised Japanese porn sites

The Win32/Aibatook attack tool only targets Internet Explorer – the most widely used browser in Japan.

Four of the hacked websites are sokuhabo.net, www.uravidata.com. ppv.xxxurabi.com and mywife.cc.

It is unclear how the attackers compromised these sites.

When a computer visits one of the infected sites, the victim sees what looks like an innocuous “404 error” message. The user’s browser will then download malicious code.

Next, the malware waits for the victim to sign on to a bank account so it can inject bogus web forms.

“During our investigation, we observed Japan Post and the SBI Sumishin Net Bank as targets,” ESET researchers write. “This technique implements two different information stealers, one specifically tailored against a few major Japanese banks, and a second one targeting around 90 different websites.”

In one scenario, the fake form is an imitation login page requesting that the victim enter personal details because, purportedly, a system upgrade is necessary.

The personal credentials are then sent to the criminals via a command and control server.

“Craftily, if the user visits a page on the Japan Post website designed to warn customers of the dangers of phishing attacks they are redirected back to the login page before they have a chance to see any security advice,” security researcher Graham Cluley observes.