Editorial Policy

New ‘SpyEye’ Malware Covers Thieves’ Tracks

Marcia Frellick

January 13, 2012

If you constantly check your account online, you’ll know if someone dipped into your funds, right? Not anymore.

Researchers at global computer security firm Trusteer have found that the latest version of SpyEye’s malware toolkit can help criminals sneak into bank accounts, use the information to commit fraud and then cover up their tracks so there’s no evidence of tampering when the account holder logs back on.

Trusteer’s chief technology officer Amit Klein says this new version, which is targeting banks in the U.S. and U.K., works like this:

SpyEye lurks as the user starts to log in to the banking site. While that’s happening, the malware injects fake prompts into the login page to ask for information such as debit card numbers, PINs and expiration dates.

“The user suspects the bank is just asking for this information as part of the login process,” Klein says.

The padlock symbol at the bottom right of the screen is still there, as is the “https” in the URL, which usually indicates a secure connection. Yet the personal information the user enters goes to a SpyEye server, and the criminal starts using the stolen information for transactions online or over the phone.

The next time the user logs in, SpyEye, which has kept a record of all the fraudster’s transactions, removes all evidence of the fraud. Everything looks normal. That is, until the user gets a balance on an ATM, gets a monthly paper statement or checks the balance on a non-infected computer.

Experts expect more attacksTh_cyberthreat
Klein says that SpyEye and similar “man-in-the-browser” agents (like Trojan horse-type agents) are becoming a more serious threat.

“We see them improving their configurations and platforms and see them going after targets they have not targeted before, both financial and non-financial,” Klein says.

New financial targets include higher-yield accounts instead of just the smaller banks that had been less protected and easier to attack. New non-financial targets include businesses such as payroll processors, Klein says.

The immediate victim in such attacks is the consumer or a corporate user who accesses a bank account. But, in many cases, the bank reimburses victims for any losses incurred, provided they have shown an effort to protect their accounts’ privacy.

“At the end of the day, the losses are eaten by the banks,” Klein says.

SpyEye’s new plan of attack presents an even greater challenge for businesses like network security solutions firm Damballa, which has been tracking SpyEye for years.

Sean Bodmer, senior threat intelligence analyst for Damballa, says that Damballa Labs is currently tracking 17 SpyEye botnets, all run by different criminal groups. A botnet is a network of infected computers that’s being controlled by a criminal to infect others. Each botnet, according to Bodmer, ranges in size from 15,000 victims up to 274,000 victims across the globe.

The SpyEye Botkit was one of the Top 10 crimeware kits used throughout 2011, and its criminal use continues in 2012, Bodmer says. Hackers can now buy a base kit for the current SpyEye version for $2,000 and a fully loaded package for up to $10,000.

SpyEye has similarities to the better-known Zeus malware platform. Rob Rachwald, director of security strategy for data security firm Imperva, says his company is seeing increased movement into the mobile phone market for both SpyEye and Zeus.

“Now there’s something called Zitmo (Zeus in the mobile) and Spitmo (SpyEye in the mobile),” Rachwald says. “So, in other words, they’re developing mobile versions for Android, for example. The question is how big will those footprints grow?”

How can consumers protect themselves?
There is no foolproof way to avoid a SpyEye attack. In fact, even anti-virus software can only block one-third or fewer of the viruses out there, because viruses morph so quickly, Rachwald says.

But there are a few precautions consumers can take.

First, be skeptical about what questions you are being asked, even if you are sure you are on a secure banking site. If you get suspicious, call the bank to make sure the questions you are being asked are legitimate.

“If consumers want to bank online and be very, very sure of their security, simply buy a cheap new laptop that you only use for online banking,” Rachwald says. “Use your regular other computer for general web surfing.”

Short of that, make sure you have updated your computer’s anti-virus protection and have downloaded the latest versions of your browser.

“Although almost any anti-virus engine can be circumvented by an armored version of SpyEye, it is always wise to keep your (anti-virus protections) up to date,” Bodmer says.

He also recommends backing up any system. That way, in the event of an infection, you can revert back to a not-too-distant image of your system.