Feeds

SpyEye banking trojan: now with SMS hijacking capability

One-time passwords zapped to fraudsters

Securing Web Applications Made Simple and Scalable

The SpyEye banking trojan has acquired the ability to reroute one-time passwords sent to victims' cellphones, a measure that bypasses protections more and more financial institutions are adopting.

According to a blog post published Wednesday by a researcher from security firm Trusteer, SpyEye was recently observed trying to trick victims into reassigning the cellphone number they use to receive one-time passwords from their banks by SMS, or short message service. The social-engineering ploy is contained in fraudulent pages injected into their online banking sessions that falsely claim they have been assigned a unique telephone number dedicated for that purpose and a special SIM card will be received in the mail shortly.

Warning injected by SpyEye into online banking session

SpyEye injects this message (translated from Spanish) into some victims' online banking session.

“Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network,” Trusteer researcher Amit Klein wrote. “This allows them to use the SMS confirmation system to divert funds from the customer's account without their knowledge, while not triggering any fraud detection alarms.”

As the cost of online banking fraud has skyrocketed, many financial institutions have embraced the use of out-of-band authentication to reduce the effectiveness of SpyEye, ZeuS, and other trojans that steal online banking credentials entered into infected computers. The protections work by requiring customers to enter a one-time password sent by the bank to her phone before a large transaction is completed. The additional step often foils bank fraud even if a crook has the victim's user name and password.

In true cat-and-mouse fashion, malware developers have responded by building new features that bypass these countermeasures.

SpyEye, which recently merged with the ZeuS codebase, has been one of the leaders in figuring out new ways to defeat such countermeasures. Last month, SpyEye operators began bundling the it with malware that intercepts one-time passwords sent by SMS. SpyEye has been observed doing much the same thing to BlackBerry users, as well.

The fraudulent message claiming the cellphone number must be reassigned is injected into victims' online banking sessions by the SpyEye malware infecting their machines. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.