McDonald’s malvertising, on Facebook

Mispadu banking trojan uses a McDonald’s malvertising tactic to steal payment-card data and online banking information. Mispadu, which was written in Delphi, targets Brazil and Mexico. It uses pop-up windows and contains backdoor functionality.

Ads and email messages spread the Mispadu banking trojan

Mispadu spreads both via email and through sponsored advertisements on Facebook. These offer fake discount coupons for McDonald’s. The call out is: “Use them on any September day! Independence coupons. Get yours now.” When a user clicks the ad, is taken to a fake McDonald’s website with a “I want! Generate coupon” button. Once clicked, it downloads a ZIP archive, containing an MSI installer – database files, used by Windows. This makes then a series of changes that end with the download of the banking trojan.

ESET experts said that “We believe this malware family is targeting the general public. Its main goals are monetary and credential theft.”

Mispadu also has a backdoor functionality. It can take screenshots, capture keystrokes and simulate mouse and keyboard actions. Also, it collects the fingerprinting information about the computer and looks for a popular app that protects access to online banking. At the same time, it monitors the banking apps and the content. Then, it tries to replace any bitcoin wallet with its own. Moreover, it gathers credentials. The malware also uses four legitimate apps, modified to run without a graphical user interface. They extract stored credentials from browsers and email clients.

McDonald’s malvertising distributes a Chrome extension

ESET discovered that Mispadu also distributes a malicious Chrome extension in Brazil. Its goal is to steal payment-card information and banking data and also money from by compromising the county’s Boleto online payment system. The extension is presented as a protection utility, named “Securty System 1.0” and it consists of three malicious JavaScript files. One creates a new Chrome window and closes the others. The second looks for any data about bank cards and sends the data to the attackers. The third replaces the ID number of the victim’s bank account with the attacker’s account number. According to ESET, the campaign generated more than 100,000 clicks in Brazil.

The McDonald’s malvertising seems to be only the beginning of a series of attacks. The security researchers discovered an open directory on one of the servers Mispadu uses. Also, files connected to a similar campaign were stored there. “Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and to force a fake Adobe Flash Player update on its potential victims.”

You can use our free ad blocker to avoid this danger.