SpyEye Trojan post transaction fraud schemes attack banks

Many of us tend to spend a little more than we intend during the holiday season and, with all the transactions hitting our accounts, it can be hard to keep track. During the final few weeks of 2011, Trusteer saw fraudsters take advantage of this trend with their latest fraud scheme.

Historically we’ve typically seen man-in-the-browser attacks take place at one of the three possible online banking phases:

  • During the “login’ phase – designed to capture login credentials
  • At the “post login’ phase – with Webinjects used to social engineer, i.e. “trick’, the victim into providing personal information or downloading malware
  • At the transaction phase – tampering with transactions on-the-fly in the background, typically changing payee details and/or the amount.

“There is another, less discussed, form of man-in-the-browser attack – the post transaction attack,” said Amit Klein Trusteer’s CTO. “Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.”

Last year Trusteer noticed a Zeus configuration which targeted some major UK banks using an interesting injection into popular web-mail systems. At that time, this configuration aimed to hide email messages with specific text phrases it considered to be money transfer or payment confirmation emails.

Just before the recent holiday season, Trusteer came across a SpyEye configuration which attacks banks in the USA and UK. Instead of intercepting, or diverting, email messages the attack automatically manipulates the bank account transaction webpage the customer views.

The attack unfolds over through three major steps:

  • First a man-in-the-browser attack is launched on an online banking session and debit card data is captured
  • Then the debit card data is used to commit fraud
  • The next time the customer logs into their online banking site a post transaction attack is launched that hides fraudulent transactions from the victim.

Malware post-transaction attack in detail

Step 1: Malware post-login attack – credentials stolen

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2: Fraudster commits fraudulent activity

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware post-transaction attack with fraud hidden from view

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been “taken over’, nor that any fraudulent transactions have taken place

Of course, if the victim still receives statements through the mail, the transactions will eventually be detected. However, with many customers encouraged to “go paperless’, it could take many months before the fraudulent activity is identified.

Amit Klein, Trusteer’s CTO said, “I predict that the use of post transaction attack technology will significantly increase as it enables criminals to maximise the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort as it is cheap to buy and easy to use.”

Don't miss