Hackers Exploit Browser Kiosk Mode to Harvest Google Credentials

Published on September 17, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

An unusual attack vector was used to compromise user credentials in a novel malware campaign discovered by OALABS’ security researchers. This sophisticated malware locks users into their browser's kiosk mode as part of its strategy to steal Google credentials.

The malware's modus operandi involves initiating a lock on the user's browser directed at Google's login page. The tactic is designed to frustrate users into entering and saving their Google credentials, believing that doing so will restore regular access.

This lock is cunningly crafted, disabling the "ESC" and "F11" keys, preventing users from exiting the browser or navigating away. 

Fake Google Sign In Page
Image Source: OALABS Research

Upon saving the credentials in the browser, the StealC information-stealing malware swiftly harvests them. This malware extracts login details from the browser's credential store and transmits them back to the attacker.

The hackers employ Amadey, a malware loader, info-stealer, and system reconnaissance tool, which has been operational since 2018, and an AutoIt script to instigate the credential flushing process.

The malware scans the infected system for browsers and launches the targeted one in kiosk mode, redirecting it to a pre-specified URL. It launches the browser in kiosk mode, directing it to Google's login page without conventional UI elements, such as toolbars or navigation buttons.

Kiosk Mode Malware Exploit
Image Source: OALABS Research

The campaign has reportedly been active since at least August 22, 2024.

Recently, a widespread campaign was seen luring victims via fake download sites looking like Roblox FPS Unlocker, YouTube, VLC, or KeePass to distribute Trojans that install malicious web browser extensions to steal sensitive user data.

In June, a ‘Fake Browser Update’ campaign infected vulnerable sites to show malicious pop-ups promoting a Web browser update that downloads malware when clicked. However, it hid behind a legitimate WordPress plugin to evade discovery by file scanners, as it’s usual for plugins to store data in the WordPress database.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: