Trusteer has discovered a configuration of Carberp that attempts to steal bank details from customers of the Freebox broadband service provided by French company Free. It uses the man-in-the-browser attack made infamous by Zeus and SpyEye. When infected users visit their online subscription page, the malware injects and displays a page claiming problems with their monthly subscription payment. It asks users to resubmit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city, and claims that this is necessary in order to maintain service.
Those details are then stolen.
Trusteer points out that this attack plays on two of the primary motivational emotions exploited by tricksters: fear and trust. Users generally build a level of trust with their broadband providers while simultaneously fearing the loss of their internet connectivity. The result is a particularly potent attack. “Most of us,” comments Trusteer researcher Tanya Shafir, “are extremely reliant on broadband services for work, entertainment, and shopping. When faced with the prospect of having our Internet connection turned off for not paying the monthly bill, it is easy to see how even the most security conscious users could fall prey to this type of scam.”
It also illustrates the adaptability of cybercriminals. Such man-in-the-browser attacks have hitherto largely been directed at banks and financial institutions. But banks are becoming better protected, not least by Trusteer’s own Rapport solution. “By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP,” she adds.
It suggests that financial fraud malware such as Carberp, Zeus and SpyEye will increasingly be targeted at any website that can take online payments.