SpyEye bank Trojan hides its fraud footprint

Filed Under: Data loss, Featured, Malware, Privacy

SpyEyeThis Christmas, banks were visited by the ghost of malware past: an ever nastier version of SpyEye that manages to hide fraudulent transactions from unsuspecting victims.

Security vendor Trusteer last year found SpyEye targeting transactions at major UK banks. SpyEye is a tweak of the Zeus crimeware kit that grabs web form data within browsers.

This year, right before the recent holiday season, Trusteer found a hopped-up version of SpyEye attacking banks in the U.S. and U.K.

The new Trojan, instead of intercepting or diverting email messages, hides bogus transactions even after users have logged out and then logged back into their accounts.

This version of SpyEye both hides the fraudulent transaction and masks the amount of the transaction, putting forward a fake balance and ensuring that victims are oblivious to anything being amiss.

The brief version of how it works:

  1. SpyEye launches a man-in-the-browser attack on an online banking session to steal debit card data.
  2. Crooks commit fraud with the debit card data.
  3. The next time the customer logs into an online banking site, SpyEye launches a post-transaction attack that hides the fraudulent transactions from the victim.

Here's Trusteer's detailed description of how it goes down:


Step 1 – Malware Post-Login Attack - Credentials Stolen:


a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.


b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.


Step 2 – Fraudster Commits Fraudulent Activity:


c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.


d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.


Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:


e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

As Trusteer points out, paper statements will eventually reveal SpyEye's antics. But how many online banking users still get them? Given banks' push to go paperless, the thievery could go undetected for months.

Anti-phishing zoneTo protect against this type of attack, users should keep browser and antivirus software up to date. Chrome, Firefox, Internet Explorer, Opera, and Safari all employ phishing and malware blacklists, but such anti-phishing settings can be disabled.

To help ward off nasties like SpyEye, make sure your browser's anti-phishing option is on.

, , , , ,

You might like

3 Responses to SpyEye bank Trojan hides its fraud footprint

  1. Jay Gates · 928 days ago

    Customers should always use PDF versions of their monthly statement to reconcile their account activity, at a minimum. Not that this fool-proof. Also, out-of-band means of verifying account balances (ex., text messging and via phone) should be available.

  2. Jeema · 927 days ago

    I have IE 8. I cannot find any "anti-phishing option" to set.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.