The SpyEye Trojan has a well-earned place of respect in cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research by Trend Micro provides yet another reminder of why.
According to Trend Micro, a hacker in his early 20s known by the cyber-alias “Soldier” led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits.
Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies.
“Using the IP addresses of the victims that were recorded by the SpyEye command and control server, we were able to determine the network to which the IP address was assigned,” blogged Loucif Kharouni, senior threat researcher at Trend Micro. “We found that a wide variety of large organizations and US multi-nationals in a variety of sectors were represented in the victim population.”
“We do not believe these large organizations and US multi-nationals were originally the intended target, we instead believe that they were impacted following end user compromise,” the researcher continued. “Bots (infected victim systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.”
Of the 25,394 systems infected by the operation between April 19 and June 29, 57 percent were Windows XP computers. Some 4,500, or 18 percent, were running Windows 7.
SpyEye was in the news for other reasons earlier this week when news broke that a version of the Trojan was observed targeting Android devices.
“Because the cyber-criminals are so good at socially engineering their victims in to installing their crimeware agents (whether that be at the PC or mobile level), merely shifting the banking authentication process to another device (i.e. the mobile phone) does not pose a significant problem to the criminals,” Gunter Ollmann, vice president of research at Damballa, told SecurityWeek. “Financial institutes need to focus on back-office correlation and anomaly detection systems to identify fraud attempts – rather than continually try to push security components in to their customer’s hands. Cyber-criminals will always be able to defeat consumer security solutions because they are smarter that the “average” customer that a bank is developing their security solution for.”
He added that the attention malware authors are paying towards mobile devices may be driven by banks increasingly moving multi-factor authentication processes to mobile phones.
Compromises on the scale Soldier was involved in are not unusual for cyber-criminals using toolkits, Kharouni blogged, but that doesn’t mean the amount stolen isn’t cause for concern. “Such information gives us a clearer view of what goes on within a botnet as prominent as those created with SpyEye,” the researcher wrote. “As we attain more information on how cybercriminals do business, their targets, and what kind of information they seek, hopefully it will lead us to discover how to dismantle these operations and prevent them from stealing a users’ hard-earned money.”