TrickBot includes a section in its configuration files that instructs it to overlay a fake login page whenever the user visits Coinbase.com in his browser. Coinbase is a large web-based cryptocurrency wallet services, and with Bitcoins price hovering around USD 4,500 at press time, the incentives to steal an exchange user’s credentials are obvious, as fraudsters could transfer Bitcoin or other cryptocurrency funds from hijacked Coinbase accounts to their own.
The malware appeared initially in 2016 targeting online bank accounts. Currently, TrickBot can infect users and overlay fake web pages to hijack banking portals for banks in over ten countries. In June 2017, the trojan started targeting PayPal accounts and the login pages of several well-known CRMs — web applications used in enterprise environments.
According to Bleeping Computer, TrickBot trojan was spotted at the end of August 2017 in a small spam campaign posing as documents sent by the Canadian Imperial Bank of Commerce (CIBC), meaning it probably only targeted Canadian users.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now