Share

Related Links

  • Trusteer
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

SpyEye now hijacking users banking text messages using subversive techniques

07 October 2011

Trusteer has revealed that the SpyEye online banking trojan has been modified once again, this time to hijack authentication text messages from banks and other financial institutions.

Although only used by a handful of banks in the UK and US, text message authentication is increasingly being used by financial institutions across Europe as a means of transmitting on-time TANs (transaction authentication numbers) to banking users. These TANs are then used to authenticate and authorize a given transaction, typically a transfer or payment to another account or utility company.

According to Amit Klein, Trusteer's CTO, after stealing an online banking users' account credentials, the malware changes the victim’s phone number of record in the online banking application to one of several random attacker-controlled numbers using a stolen confirmation code.

Now comes the nasty bit, as SpyEye injects a fraudulent page in the customer’s browser. The page appears to be from the online banking application and indicates that a new security system is now 'required' by the bank, for which customers must register.

Under the 'new security process' the customer will be assigned a unique telephone number and that they will receive a special SIM card via the mail. The user is then instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system.

It's at this point, said Klein, that the criminals steal the confirmation code they need to authorize changing the customer’s mobile number, meaning they receive all future SMS transaction verification codes for the hijacked account via their own cellular service.

The Trusteer CTO asserted that the only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks man-in-the-browser techniques. Without a layered approach to security, he said, even the most sophisticated schemes can be negated under the right circumstances.

Klein added that this latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including text-based solutions, are not fool-proof.

“Using a combination of man in the browser injection technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time, since the transactions have been verified and fly under the radar of fraud detection systems”, he explained.

This article is featured in:
Identity and Access Management  •  Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×