SpyEye Trojan Targets Online Banking Security Systems

When the attack succeeds, thieves can gain access to a customer's account and perform transactions

Researchers have discovered a new attack by a popular malware program, the SpyEye Trojan, that is aimed at cracking security schemes that use text messaging to send confirmation codes to consumers so they can confirm transactions from their accounts.

The research team at Trusteer said the attack allows the thieves to change the mobile phone number in a consumer's online banking account and reroute text messages to the criminal’s phone. That allows them to perform transactions on the consumer's account without their knowledge.

According to the researchers, the attack works like this:

The malware first compromises the login information to the consumer's account. That allows a thief to access the account without being detected by the bank or consumer.

Next, a bit of social engineering needs to be employed to obtain the confirmation code originally used to activate the consumer's mobile phone number with the bank.

That's done by the malware injecting a phony page into the Web browser on the consumer's phone. The page, which looks like an one from the consumer's bank, says a new security system is being implemented by the bank. All customers are being issued a unique telephone number, it says, and will receive a special SIM card in the mail.

However, to participate in the mandatory program, a consumer must register with the bank. Part of that registration process includes typing the original confirmation code into the webpage where, of course, the Black Hats can capture it.

Armed with that code, the bandits can log in to the consumer's account and change the cellphone number associated with it. Once that's done, they can divert funds from the consumer's accounts until the consumer logs in and sees the unauthorized withdrawals or expenditures.

"This latest SpyEye configuration demonstrates that out-of-band authentication systems, including SMS-based solutions, are not fool-proof," the researchers concluded.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters ... buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," they continued.

"The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques," they added. "Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances."

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityonline securityTrusteerhackersfirewallssecuritymalware

More about Security Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts