SpyEye steals banking codes by sending them to wrong phone

Circumvents mobile SMS security procedures

Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

"The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks," said Amit Klein, Trusteer's chief technology officer, in a blog post.

"This attack, when successful, enables the thieves to make transactions on the user's account and confirm the transactions without the user's knowledge," he warned.

In a recent report, Trusteer named SpyEye and ZeuS as the most serious threats faced by financial institutions and their customers. These banking Trojans are capable of executing what are known as man-in-the-browser attacks by injecting rogue code into websites displayed on the computers they infect.

This allows them, for example, to modify forms on online banking websites by adding fields to capture sensitive data or to hide the real account balance after an unauthorized transaction was performed so the account owner doesn't notice.

Fortunately, for the last couple of years more and more banks have wised up to such techniques and countered them by introducing additional security checks. One of them requires account holders to confirm that they initiated a transaction by inputting a one-time-use code sent to their mobile phone via SMS.

These restrictions forced banking Trojan creators to come up with methods of obtaining mobile transaction authorization numbers (mTANs) and changing the phone number on record is one of them.

Once a user logs into their online banking account from a computer infected with the new SpyEye variant, they receive an alert which appears to come from the bank and informs them of a new security requirement.

The fake message claims that a unique telephone number will be assigned to the customer for fraud reduction purposes and asks them to confirm the procedure by inputting the code sent to their current phone.

In the background the Trojan actually initiates a phone number change request, the SMS code received by the victim being the key to complete the process. Following a successful attack, the fraudsters gain the ability to transfer funds out of the account at will.

"This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof," Trusteer's Amit Klein warned.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," he added.

This is not the only method used by ZeuS and SpyEye gangs to steal mTANs, however. Another technique is to trick victims into installing a spyware application on their phones by passing it off as a component required by the bank. This is called a man-in-the-mobile (MitMo) attack.

Users should check the authenticity of all announcements received through online banking systems by calling the corresponding financial institution over the phone, especially if those messages ask them to perform certain actions.

Tags Internet-based applications and servicestelecommunicationfinancespywareinternetExploits / vulnerabilitiesindustry verticalsfraudTrusteersecurityAccess control and authenticationDesktop securitymobile securityscams

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?