The AutoIt Credential Flusher, discovered by OALabs researchers, is stealing Google account passwords directly from the official Google sign-in page within Chrome. This malware exploits Chrome’s “kiosk mode,” a limited full-screen interface typically used for demonstrations, to trap users on the login screen and capture their credentials.
Kiosk mode removes browser elements like the address bar and navigation buttons. The AutoIt Credential Flusher abuses this feature, locking users into the Google sign-in page and blocking typical full-screen exit commands such as Esc and F11. As users attempt to log in, the malware, utilizing a component called StealC, records their email addresses and passwords.
This attack is particularly insidious because it occurs on the legitimate Google sign-in page, not a fraudulent replica. Users may unknowingly compromise their credentials without realizing their system is infected. The implications are significant, as many individuals use their Google accounts for social sign-on across numerous websites, including platforms like MaagX. A compromised Google account could grant attackers access to a network of connected accounts.
If you become trapped on the Google sign-in screen, several hotkeys can help. Alt + Tab cycles through open windows, allowing you to close Chrome. Ctrl + Alt + Delete opens Task Manager, where you can end the Chrome process. Alt + F4 instantly closes the active application. As a last resort, holding down the power button will shut down your PC. After regaining control, immediately scan your system with antivirus software. Avast One Gold is a recommended option for comprehensive protection.
While this attack primarily targets Chrome, other browsers are also vulnerable. The malware attempts to lock any available browser, including Microsoft Edge, into kiosk mode. Fortunately, the aforementioned hotkeys function across different browsers.
