Banking malware monitors victims by hijacking webcams and microphones, researchers say

The SpyEye variant secretly films and records what victims say and do when they are being defrauded

A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab.

SpyEye is a computer Trojan horse that specifically targets online banking users. Like its older cousin, Zeus, SpyEye is no longer being developed by its original author, but is still widely used by cybercriminals in their operations.

SpyEye's plug-in-based architecture allows third-party malware developers to extend its original functionality, Kaspersky Lab malware researcher Dmitry Tarakanov said in a blog post on Monday. This is exactly what happened with the new webcam and microphone spying feature, which is implemented as a SpyEye plug-in called flashcamcontrol.dll, Tarakanov said.

As suggested by the DLL's name, the malware accesses these two computer peripherals by leveraging Flash Player, which has webcam and microphone control functionality built in.

Under normal circumstances, users get prompted to manually allow websites to control their computers' webcam and microphone via Flash. However, the SpyEye plug-in silently whitelists a list of online banking websites by directly modifying Flash Player configuration files.

At first, the Kaspersky Lab researchers thought that this might be part of a scheme to bypass facial recognition systems used by some banks for secure authentication. However, after contacting the targeted organizations, they learned that none of them had any webcam-reliant features on their websites.

The Kaspersky researchers later found out, by analyzing a different SpyEye component, that the malware injects the webcam and microphone hijacking Flash content into the targeted online banking websites locally, when these sites are opened in a browser on the infected computers.

This is done by using an on-the-fly Web page manipulation technique that most banking malware, including SpyEye, also uses for displaying rogue messages and hiding legitimate content inside the browser.

Some banks require customers to confirm transactions initiated from their online accounts by typing secret codes sent to their mobile phones or generated by portable hardware tokens. Cybercriminals need these codes to steal money, so they commonly use social engineering to trick victims into exposing them.

In other cases, the banks will actually call their customers in order to authorize transactions over the phone and this is when having webcam and microphone spying abilities can be very useful to attackers. Such was the case with an Ecuadorian bank whose customers were targeted in the past by a different piece of malware that had this functionality, Tarakanov said.

During conversations with the bank's phone operators, customers can disclose very sensitive information about themselves and their accounts, for the purpose of verifying their identity. This information can include their mother's maiden name, their date of birth, their credit card and Social Security numbers, as well as their telephone personal identification number (TPIN), which is used for phone banking operations.

"Using a microphone, the intruder can listen in, and later the criminal can call the bank himself, masquerading as a client whose code he has eavesdropped," Tarakanov said. "With this code it becomes possible to update the phone and login details, taking full control of the victim's account."

On the other hand, by hijacking webcams, cybercriminals can monitor how victims react when they read the socially-engineered messages displayed by the malware on online banking websites.

Cybercriminals are never 100 percent sure about how effective their social engineering tricks will turn out to be, Tarakanov said via email. It is important for them to understand where and why their attacks fail, so they can tweak them for better results, he said.

It's also possible that some of the targeted users will follow best practices and call their banks to verify the authenticity of any suspicious-looking messages they encounter during online banking sessions.

When they do this, they probably need to authenticate over the phone -- a process which, as noted previously, exposes sensitive information that can be captured through the microphone.

This particular attack shows how cybercriminals are not only harvesting people's money, but also their emotions, Tarakanov said in the blog post.

In order to protect themselves from such attacks, users could cover up their webcams when they're not using them, but that's not as easy to do with microphones, Tarakanov said via email.

Both webcams and microphones can be disabled from the operating system, either manually or with the help of specialized software, but that would hardly be convenient, especially for people who regularly use these peripherals.

It's much easier to prevent the infection in the first place by following basic security best practices like keeping all computer software up to date, running an up-to-date antivirus program, scrutinizing links before clicking on them and avoiding installing programs from suspicious sources, Tarakanov said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?