SECURITY analysts have detected a widespread banking fraud campaign by the threat group REF6045, targeting Mexican retail banks and fintechs. The operation involves deceptive web pages that utilize fake CAPTCHA challenges to trick victims into installing the SCMBANKER malware toolkit. This malware monitors banking sessions, captures screenshots, and manipulates clipboard data to steal financial information.
REFO45 relies on human operators for executing various malware modules and has made significant operational security mistakes, such as leaving server directories open to the public. Victims include retail bank customers and cryptocurrency traders, with unconfirmed financial damage. Security teams are advised to block known malicious domains and monitor for unusual network activity.