Feeds

SpyEye banking trojan: now with SMS hijacking capability

One-time passwords zapped to fraudsters

SANS - Survey on application security programs

The SpyEye banking trojan has acquired the ability to reroute one-time passwords sent to victims' cellphones, a measure that bypasses protections more and more financial institutions are adopting.

According to a blog post published Wednesday by a researcher from security firm Trusteer, SpyEye was recently observed trying to trick victims into reassigning the cellphone number they use to receive one-time passwords from their banks by SMS, or short message service. The social-engineering ploy is contained in fraudulent pages injected into their online banking sessions that falsely claim they have been assigned a unique telephone number dedicated for that purpose and a special SIM card will be received in the mail shortly.

Warning injected by SpyEye into online banking session

SpyEye injects this message (translated from Spanish) into some victims' online banking session.

“Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network,” Trusteer researcher Amit Klein wrote. “This allows them to use the SMS confirmation system to divert funds from the customer's account without their knowledge, while not triggering any fraud detection alarms.”

As the cost of online banking fraud has skyrocketed, many financial institutions have embraced the use of out-of-band authentication to reduce the effectiveness of SpyEye, ZeuS, and other trojans that steal online banking credentials entered into infected computers. The protections work by requiring customers to enter a one-time password sent by the bank to her phone before a large transaction is completed. The additional step often foils bank fraud even if a crook has the victim's user name and password.

In true cat-and-mouse fashion, malware developers have responded by building new features that bypass these countermeasures.

SpyEye, which recently merged with the ZeuS codebase, has been one of the leaders in figuring out new ways to defeat such countermeasures. Last month, SpyEye operators began bundling the it with malware that intercepts one-time passwords sent by SMS. SpyEye has been observed doing much the same thing to BlackBerry users, as well.

The fraudulent message claiming the cellphone number must be reassigned is injected into victims' online banking sessions by the SpyEye malware infecting their machines. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.