Hackers are swiping Google account credentials directly from the official sign-in page on Chrome. This new threat, discovered by researchers at OALabs, utilizes a piece of malware called AutoIt Credential Flusher to hijack user information while locking them into their browser.

The attack exploits Chrome’s “kiosk mode,” an interface used primarily for demos that hides essential navigation elements like the address bar and buttons to escape. Victims find themselves stuck on the Google sign-in page, unable to exit, as the malware logs their credentials during the login process.

Threat operates on Google’s legitimate sign-in platform

Unlike traditional phishing attacks that redirect users to fake login pages, this threat operates on Google’s legitimate sign-in platform. By abusing the kiosk mode, it tricks users into thinking their browser is malfunctioning, prompting them to enter their email and password while the malware captures the data.

The AutoIt Credential Flusher uses a secondary malware, StealC, to snatch credentials without users suspecting a thing. Worse yet, since Google accounts are often connected to various platforms, from social media to online shopping sites, hackers gain access to a much wider range of accounts once they compromise a user’s Google login.

Experts are urging users to stay alert. If you find yourself locked on the sign-in page, try using hotkeys like Alt + Tab, Ctrl + Alt + Delete, or Alt + F4 to escape. Afterward, run antivirus scans to detect and remove any malware. While this attack targets Chrome users, other browsers like Microsoft Edge could also fall victim, as the malware tries to manipulate any available browser in kiosk mode.

Cybersecurity teams are scrambling to assess the full impact. Users are encouraged to stay vigilant as this threat continues to evolve.