Categories: Ad Guardian PlusNews

McDonald’s malvertising, on Facebook

Mispadu banking trojan uses a McDonald’s malvertising tactic to steal payment-card data and online banking information. Mispadu, which was written in Delphi, targets Brazil and Mexico. It uses pop-up windows and contains backdoor functionality.

Ads and email messages spread the Mispadu banking trojan

Mispadu spreads both via email and through sponsored advertisements on Facebook. These offer fake discount coupons for McDonald’s. The call out is: “Use them on any September day! Independence coupons. Get yours now.” When a user clicks the ad, is taken to a fake McDonald’s website with a “I want! Generate coupon” button. Once clicked, it downloads a ZIP archive, containing an MSI installer – database files, used by Windows. This makes then a series of changes that end with the download of the banking trojan.

ESET experts said that “We believe this malware family is targeting the general public. Its main goals are monetary and credential theft.”

Mispadu also has a backdoor functionality. It can take screenshots, capture keystrokes and simulate mouse and keyboard actions. Also, it collects the fingerprinting information about the computer and looks for a popular app that protects access to online banking. At the same time, it monitors the banking apps and the content. Then, it tries to replace any bitcoin wallet with its own. Moreover, it gathers credentials. The malware also uses four legitimate apps, modified to run without a graphical user interface. They extract stored credentials from browsers and email clients.

McDonald’s malvertising distributes a Chrome extension

ESET discovered that Mispadu also distributes a malicious Chrome extension in Brazil. Its goal is to steal payment-card information and banking data and also money from by compromising the county’s Boleto online payment system. The extension is presented as a protection utility, named “Securty System 1.0” and it consists of three malicious JavaScript files. One creates a new Chrome window and closes the others. The second looks for any data about bank cards and sends the data to the attackers. The third replaces the ID number of the victim’s bank account with the attacker’s account number. According to ESET, the campaign generated more than 100,000 clicks in Brazil.

The McDonald’s malvertising seems to be only the beginning of a series of attacks. The security researchers discovered an open directory on one of the servers Mispadu uses. Also, files connected to a similar campaign were stored there. “Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and to force a fake Adobe Flash Player update on its potential victims.”

You can use our free ad blocker to avoid this danger.

Laurentiu Titei

View Comments

Recent Posts

Best and Safe ROM Sites to Download ROMs

Allow us to introduce you to a list of the best ROM sites for downloading…

3 days ago

Best Internet Browsers for Safe Browsing for Kids

If you are looking for the best safe browser for kids, you have come to…

1 week ago

Download and Update the HP Smart Tank 580 Driver for Windows PC

If you want to enhance the performance of your printer by way of the HP…

2 weeks ago

Best Computer Imaging Software to Image a PC

If you wish to install the contents on any Windows PC to another PC, you…

3 weeks ago

Best SQL Server Management Tool

If you are looking for server-based tools for database management using SQL, you can take…

1 month ago

Best Open-Source Vulnerability Scanners & Tools

If you want to ascertain the most vulnerable files, areas, and sectors in your data,…

1 month ago