We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

SpyEye Trojan Targets Online Banking Security Systems

When the attack succeeds, thieves can gain access to a customer's account and perform transactions

Researchers have discovered a new attack by a popular malware program, the SpyEye Trojan, that is aimed at cracking security schemes that use text messaging to send confirmation codes to consumers so they can confirm transactions from their accounts.

The research team at Trusteer said the attack allows the thieves to change the mobile phone number in a consumer's online banking account and reroute text messages to the criminal’s phone. That allows them to perform transactions on the consumer's account without their knowledge.

According to the researchers, the attack works like this:

The malware first compromises the login information to the consumer's account. That allows a thief to access the account without being detected by the bank or consumer.

Next, a bit of social engineering needs to be employed to obtain the confirmation code originally used to activate the consumer's mobile phone number with the bank.

That's done by the malware injecting a phony page into the Web browser on the consumer's phone. The page, which looks like an one from the consumer's bank, says a new security system is being implemented by the bank. All customers are being issued a unique telephone number, it says, and will receive a special SIM card in the mail.

However, to participate in the mandatory program, a consumer must register with the bank. Part of that registration process includes typing the original confirmation code into the webpage where, of course, the Black Hats can capture it.

Armed with that code, the bandits can log in to the consumer's account and change the cellphone number associated with it. Once that's done, they can divert funds from the consumer's accounts until the consumer logs in and sees the unauthorized withdrawals or expenditures.

"This latest SpyEye configuration demonstrates that out-of-band authentication systems, including SMS-based solutions, are not fool-proof," the researchers concluded.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters ... buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," they continued.

"The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques," they added. "Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances."

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model