A new virus defrauds online purchases made by computer by changing the Pix recipient at the time of transfer.
The program infects the user’s machine and can harm any website that accepts this form of payment, according to Kaspersky. The digital security company released information about the virus, called GoPix, on Thursday (26).
Researcher Fábio Marenghi discovered that one of the points of infection was a fake website for WhatsApp Web, the browser version of the messaging app.
This fake website appeared in the first position of Google search when users typed WhatsApp with the wrong spelling “Watsap Web.” The site was removed from the search engine after contact from Kaspersky. Marenghi also found a GoPix installer who used the Correios website as bait.
On infected computers, the program spies on the victim for a while until it detects the moment of online purchase via Pix — the one made by scanning a QR Code or copying a code. According to Kaspersky, the virus only works if the person chooses the copy and paste transfer.
When someone copies the text, this part is stored in the computer’s memory, in the so-called “clipboard”. GoPix then exchanges the saved code for another, whose destination is the criminal’s account.
Users can avoid the scam by checking the Pix recipient, which in these cases will be different from the store or institution to which the transfer would be made.
To prevent yourself from installing the virus, the usual precautions are: try to download programs only from official websites, check for spelling errors in the portal address, check if the website has current encryption using the “https” code at the beginning of the URL and have an antivirus installed.
The victim only becomes infected if they open the downloaded program when accessing the fake website.
In the case of GoPix, cybercriminals still adopt strategies to try to circumvent antiviruses. The fake WhatsApp website, for example, presented the option to download the virus only after verifying that the person accessing it had signs of human behavior, to outwit monitoring bots.
Furthermore, the fake portal ran a test to check the presence of antivirus on the victim’s computer. If there was, the download link led to a compressed folder, “.zip” format, with a shortcut to the program. This step also made it difficult to detect the virus, normally an executable file, in “.exe” format.
Viruses that monitor the clipboard are nothing new, according to the cybersecurity company, but this was the first time that the company found such a program dedicated to defrauding Pix.
The antivirus claims that it has already blocked GoPix in Brazil on 10,000 occasions until October this year — the first time was in November 2022. This number only refers to those who have Kaspersky’s antivirus installed.
It was only this month that researcher Fábio Marenghi was able to trace the chain of application of this scam from the beginning.
On Android smartphones, viruses have already been identified that bypass Pix in the banking app or access the cell phone remotely to make fraudulent transactions, a scam that became known as “ghost hand.”