SpyEye Banking Trojan Updated to Cover its Tracks

A cyber-crime operation using the SpyEye Trojan was spotted around the holidays with a new trick up its sleeve for dodging detection.

According to Trusteer, fraudsters targeting online bankers were observed attempting to cover their digital tracks on infected computers by concealing their unauthorized transactions.

“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session,” blogged Amit Klein, chief technology officer at Trusteer. “These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.”

The SpyEye configuration was aimed at banking customers in the U.S. and U.K., Klein explained. The attack works by manipulating the bank account transaction webpage the customer sees. The malware asks the customer for debit card data during the login phase, which the attacker steals and uses to make transfers and purchases. The next time the victim visits their online banking site, the malware then replaces the fraudulent transactions in the “view transactions” page, and artificially changes the total fraudulent transaction to balance the totals.

The end result, Klein continued, is the victim has no idea their account has been compromised.

“Of course, if the victim still receives statements through the mail, the transactions will eventually be detected,” he noted. “However, with many customers encouraged to ‘go paperless’, it could take many months before the fraudulent activity is identified.”

Malware writers are continually using different tactics to cover their tracks or make the lives of the security community more difficult. A clear example of this can been seen in the infamous Conficker worm, which disabled antivirus updates blocking infected computers from accessing the Websites of security vendors.

SpyEye has long been popular among cyber-criminals. A recent Trend Micro analysis of a SpyEye-backed operation led by a hacker using the alias “Soldier” led a bank fraud operation that netted millions of dollars in the span of several months. As of July 2011, the basic toolkit was selling for $2,000, but the price could reach as high as $10,000 depending on the number of plug-ins an attacker wanted to purchase, according to Trend Micro.

“I predict that the use of post transaction attack technology will significantly increase as it enables criminals to maximise (sic) the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort as it is cheap to buy and easy to use,” Klein blogged. “As always, we advise individuals to install additional layers of security on their computers, with particular emphasis on browser protection, to enable safe online banking.”

Related Content: Three Malware Trends to Watch in 2012