SpyEye steals banking codes by sending them to wrong phone

Circumvents mobile SMS security procedures

Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

"The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks," said Amit Klein, Trusteer's chief technology officer, in a blog post.

"This attack, when successful, enables the thieves to make transactions on the user's account and confirm the transactions without the user's knowledge," he warned.

In a recent report, Trusteer named SpyEye and ZeuS as the most serious threats faced by financial institutions and their customers. These banking Trojans are capable of executing what are known as man-in-the-browser attacks by injecting rogue code into websites displayed on the computers they infect.

This allows them, for example, to modify forms on online banking websites by adding fields to capture sensitive data or to hide the real account balance after an unauthorized transaction was performed so the account owner doesn't notice.

Fortunately, for the last couple of years more and more banks have wised up to such techniques and countered them by introducing additional security checks. One of them requires account holders to confirm that they initiated a transaction by inputting a one-time-use code sent to their mobile phone via SMS.

These restrictions forced banking Trojan creators to come up with methods of obtaining mobile transaction authorization numbers (mTANs) and changing the phone number on record is one of them.

Once a user logs into their online banking account from a computer infected with the new SpyEye variant, they receive an alert which appears to come from the bank and informs them of a new security requirement.

The fake message claims that a unique telephone number will be assigned to the customer for fraud reduction purposes and asks them to confirm the procedure by inputting the code sent to their current phone.

In the background the Trojan actually initiates a phone number change request, the SMS code received by the victim being the key to complete the process. Following a successful attack, the fraudsters gain the ability to transfer funds out of the account at will.

"This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof," Trusteer's Amit Klein warned.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," he added.

This is not the only method used by ZeuS and SpyEye gangs to steal mTANs, however. Another technique is to trick victims into installing a spyware application on their phones by passing it off as a component required by the bank. This is called a man-in-the-mobile (MitMo) attack.

Users should check the authenticity of all announcements received through online banking systems by calling the corresponding financial institution over the phone, especially if those messages ask them to perform certain actions.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Internet-based applications and servicestelecommunicationfinanceindustry verticalsExploits / vulnerabilitiesinternetspywarefraudTrusteersecuritymobile securityDesktop securityAccess control and authenticationscams

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?