Categories: Ad Guardian PlusNews

McDonald’s malvertising, on Facebook

Mispadu banking trojan uses a McDonald’s malvertising tactic to steal payment-card data and online banking information. Mispadu, which was written in Delphi, targets Brazil and Mexico. It uses pop-up windows and contains backdoor functionality.

Ads and email messages spread the Mispadu banking trojan

Mispadu spreads both via email and through sponsored advertisements on Facebook. These offer fake discount coupons for McDonald’s. The call out is: “Use them on any September day! Independence coupons. Get yours now.” When a user clicks the ad, is taken to a fake McDonald’s website with a “I want! Generate coupon” button. Once clicked, it downloads a ZIP archive, containing an MSI installer – database files, used by Windows. This makes then a series of changes that end with the download of the banking trojan.

ESET experts said that “We believe this malware family is targeting the general public. Its main goals are monetary and credential theft.”

Mispadu also has a backdoor functionality. It can take screenshots, capture keystrokes and simulate mouse and keyboard actions. Also, it collects the fingerprinting information about the computer and looks for a popular app that protects access to online banking. At the same time, it monitors the banking apps and the content. Then, it tries to replace any bitcoin wallet with its own. Moreover, it gathers credentials. The malware also uses four legitimate apps, modified to run without a graphical user interface. They extract stored credentials from browsers and email clients.

McDonald’s malvertising distributes a Chrome extension

ESET discovered that Mispadu also distributes a malicious Chrome extension in Brazil. Its goal is to steal payment-card information and banking data and also money from by compromising the county’s Boleto online payment system. The extension is presented as a protection utility, named “Securty System 1.0” and it consists of three malicious JavaScript files. One creates a new Chrome window and closes the others. The second looks for any data about bank cards and sends the data to the attackers. The third replaces the ID number of the victim’s bank account with the attacker’s account number. According to ESET, the campaign generated more than 100,000 clicks in Brazil.

The McDonald’s malvertising seems to be only the beginning of a series of attacks. The security researchers discovered an open directory on one of the servers Mispadu uses. Also, files connected to a similar campaign were stored there. “Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and to force a fake Adobe Flash Player update on its potential victims.”

You can use our free ad blocker to avoid this danger.

Laurentiu Titei

View Comments

Recent Posts

How to Convert HEIC to JPG on Windows

HEIC is a popular image format. However, many times, you may need to convert HEIC…

46 mins ago

Best Free Disk Cleaner Software to Free Up Space in Windows 11/10

Do you miss how fast your computer performed when you first unboxed it? What happened…

2 hours ago

Best Free Cache Cleaner Software for Windows 10 and 11 PC

Do you remember how fast your computer was when it was new? It could complete…

3 days ago

Best Methods to Duplicate Word Documents in 2025

Many users duplicate Word documents to secure a backup, avoid overwrites or accidental deletions in…

3 days ago

What Is Windows Update and How to Block it with Windows Update Blocker

Computer systems are unpredictable. No one can predict how they behave after an update. .…

4 days ago

Top Cloud Security Tools and Technologies

Storing information and data online on cloud services has become common for businesses and organizations.…

4 days ago