SpyEye Trojan morphs to defeat online banking defenses

The malware can now apparently detect transaction monitoring systems use to protect online banking sessions

Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people's online bank accounts, according to new research from security vendor Trusteer.

SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second.

In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions, said Mickey Boodai, Trusteer's CEO.

Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at on the site, the amount of time a person spends on a page and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami area suddenly logs in from St. Petersburg, Russia.

SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the website. That's a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic -- albeit in an automated way -- how a real person would navigate a website.

"They used to pay less attention to the way they execute transactions on the bank's website and now they are really trying to show normal user patterns," Boodai said. "

Boodai said he has little idea of how successful SpyEye's new evasion code is, although Trusteer does collect intelligence from banks that have distributed its browser security tool, Rapport, to their customers. Trusteer has also noticed that SpyEye in recent months has expanded the number of financial institutions it is able to target in an increasing number of countries.

New target countries include Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru. What that means is that more criminal groups around the world are purchasing the SpyEye toolkit, Boodai said.

Police have had some limited successes. In April, a 26-year-old Lithuanian and a 45-year-old Latvian were charged with conspiracy to cause unauthorized modifications to computers, conspiracy to defraud and concealing proceeds from crime for allegedly using SpyEye. A third, 26-year-old man whose nationality was not revealed was bailed pending further questioning.

SpyEye is actually a botnet with a network of command-and-control servers hosted around the world. As of Tuesday, some 46 command-and-control servers were online, according to the SpyEye Tracker, a website dedicated to gathering statistics about the malicious software.

That is sharply up. In May, there were just 20 or so active servers responding to computers that were infected with SpyEye, said Roman Hüssy, who runs the site.

"SpyEye is growing quite well," he said.

Send news tips and comments to jeremy_kirk@idg.com

Tags Trusteeronline safetysecuritydata breachdata protectionExploits / vulnerabilitiesspywaremalware

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?