Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

SpyEye Banking Trojan Updated to Cover its Tracks

A cyber-crime operation using the SpyEye Trojan was spotted around the holidays with a new trick up its sleeve for dodging detection.

According to Trusteer, fraudsters targeting online bankers were observed attempting to cover their digital tracks on infected computers by concealing their unauthorized transactions.

A cyber-crime operation using the SpyEye Trojan was spotted around the holidays with a new trick up its sleeve for dodging detection.

According to Trusteer, fraudsters targeting online bankers were observed attempting to cover their digital tracks on infected computers by concealing their unauthorized transactions.

SpyEye Trojan Hides Fraudulent Transactions“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session,” blogged Amit Klein, chief technology officer at Trusteer. “These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.”

The SpyEye configuration was aimed at banking customers in the U.S. and U.K., Klein explained. The attack works by manipulating the bank account transaction webpage the customer sees. The malware asks the customer for debit card data during the login phase, which the attacker steals and uses to make transfers and purchases. The next time the victim visits their online banking site, the malware then replaces the fraudulent transactions in the “view transactions” page, and artificially changes the total fraudulent transaction to balance the totals.

The end result, Klein continued, is the victim has no idea their account has been compromised.

“Of course, if the victim still receives statements through the mail, the transactions will eventually be detected,” he noted. “However, with many customers encouraged to ‘go paperless’, it could take many months before the fraudulent activity is identified.”

Malware writers are continually using different tactics to cover their tracks or make the lives of the security community more difficult. A clear example of this can been seen in the infamous Conficker worm, which disabled antivirus updates blocking infected computers from accessing the Websites of security vendors.

SpyEye has long been popular among cyber-criminals. A recent Trend Micro analysis of a SpyEye-backed operation led by a hacker using the alias “Soldier” led a bank fraud operation that netted millions of dollars in the span of several months. As of July 2011, the basic toolkit was selling for $2,000, but the price could reach as high as $10,000 depending on the number of plug-ins an attacker wanted to purchase, according to Trend Micro.

“I predict that the use of post transaction attack technology will significantly increase as it enables criminals to maximise (sic) the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort as it is cheap to buy and easy to use,” Klein blogged. “As always, we advise individuals to install additional layers of security on their computers, with particular emphasis on browser protection, to enable safe online banking.”

Related Content: Three Malware Trends to Watch in 2012

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.