SpyEye bank Trojan hides its fraud footprint

SpyEyeThis Christmas, banks were visited by the ghost of malware past: an ever nastier version of SpyEye that manages to hide fraudulent transactions from unsuspecting victims.

Security vendor Trusteer last year found SpyEye targeting transactions at major UK banks. SpyEye is a tweak of the Zeus crimeware kit that grabs web form data within browsers.

This year, right before the recent holiday season, Trusteer found a hopped-up version of SpyEye attacking banks in the U.S. and U.K.

The new Trojan, instead of intercepting or diverting email messages, hides bogus transactions even after users have logged out and then logged back into their accounts.

This version of SpyEye both hides the fraudulent transaction and masks the amount of the transaction, putting forward a fake balance and ensuring that victims are oblivious to anything being amiss.

The brief version of how it works:

  1. SpyEye launches a man-in-the-browser attack on an online banking session to steal debit card data.
  2. Crooks commit fraud with the debit card data.
  3. The next time the customer logs into an online banking site, SpyEye launches a post-transaction attack that hides the fraudulent transactions from the victim.

Here’s Trusteer’s detailed description of how it goes down:

Step 1 – Malware Post-Login Attack - Credentials Stolen:

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2 – Fraudster Commits Fraudulent Activity:

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

As Trusteer points out, paper statements will eventually reveal SpyEye’s antics. But how many online banking users still get them? Given banks’ push to go paperless, the thievery could go undetected for months.

Anti-phishing zoneTo protect against this type of attack, users should keep browser and antivirus software up to date. Chrome, Firefox, Internet Explorer, Opera, and Safari all employ phishing and malware blacklists, but such anti-phishing settings can be disabled.

To help ward off nasties like SpyEye, make sure your browser’s anti-phishing option is on.