A malicious Google Chrome extension is emptying bank accounts in several countries. The cybersecurity firm ESET has just discovered this threat that disguises itself as a security tool, but in reality steals your banking data and diverts your funds without you noticing. The extension was identified as JS/Spy.Banker.CV and is being spread primarily in Mexico via legitimate-looking emails.

The trick this extension uses to steal your money

The most dangerous thing about JS/Spy.Banker.CV is its ability to go completely undetected. This malicious extension automatically detects when you're browsing financial websites by looking for common patterns like keywords related to banks, payments, and transactions.

Once it identifies that you're on a banking website, the malware modifies the DOM (Document Object Model), which is basically the structure of the website. It changes how the page looks and functions without you even noticing. Everything looks normal at first glance, but you're actually interacting with fake forms that look exactly like the real thing.

Every piece of information you enter—passwords, account numbers, personal details—is sent directly to a server controlled by cybercriminals. But it doesn't end there. This malware can also replace your cryptocurrency wallet and bank account details with those of the attackers. Imagine you're making a transfer to a friend, but the malware changes the destination account number to one of the criminals'. ESET researchers found that the extension contains two JavaScript files capable of stealing sensitive data, visually manipulating websites, and sending all the information to Command and Control servers. The extension persists on your computer and runs every time you open the affected browser, constantly monitoring your online activities.

How this threat reaches your computer

Cybercriminals send emails with compressed attachments that appear to be from reputable financial institutions. You receive an email that appears to be from your bank, with the correct logo, a convincing message about a security update, and an attachment that you “need to open.”

That compressed file contains the malicious extension. Once you open it and install what you think is a legitimate tool, the malware installs itself in Google Chrome, posing as a security solution. The irony is brutal: you install something thinking it will protect you, when in reality you're opening the door to thieves.

The malware code has Portuguese variables, suggesting that this threat originated in Brazil but has spread across borders, primarily affecting users in Mexico and other Latin American countries.

How to protect yourself right now

Immediately check the extensions installed in your Google Chrome. Go to your browser settings, go to the extensions section, and examine each one. If there are any you don't remember installing or that are described as a suspicious "security tool," remove them immediately.

Never install extensions from untrustworthy sources. Legitimate banks will never ask you to install browser extensions via emails with attachments. If in doubt, contact your financial institution directly.

Keep an updated antivirus on your computer. ESET security solutions specifically detect this threat.

Be wary of emails with attachments, especially if they are compressed and supposedly from banks. Always verify the real email address.

The reality is that threats like JS/Spy.Banker.CV remind us that in the digital world, prevention is everything. Don't wait to become a victim to take security measures. Keep your browser updated, use strong passwords, and enable two-factor authentication whenever possible.