SpyEye steals banking codes by sending them to wrong phone

Circumvents mobile SMS security procedures

Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

"The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks," said Amit Klein, Trusteer's chief technology officer, in a blog post.

"This attack, when successful, enables the thieves to make transactions on the user's account and confirm the transactions without the user's knowledge," he warned.

In a recent report, Trusteer named SpyEye and ZeuS as the most serious threats faced by financial institutions and their customers. These banking Trojans are capable of executing what are known as man-in-the-browser attacks by injecting rogue code into websites displayed on the computers they infect.

This allows them, for example, to modify forms on online banking websites by adding fields to capture sensitive data or to hide the real account balance after an unauthorized transaction was performed so the account owner doesn't notice.

Fortunately, for the last couple of years more and more banks have wised up to such techniques and countered them by introducing additional security checks. One of them requires account holders to confirm that they initiated a transaction by inputting a one-time-use code sent to their mobile phone via SMS.

These restrictions forced banking Trojan creators to come up with methods of obtaining mobile transaction authorization numbers (mTANs) and changing the phone number on record is one of them.

Once a user logs into their online banking account from a computer infected with the new SpyEye variant, they receive an alert which appears to come from the bank and informs them of a new security requirement.

The fake message claims that a unique telephone number will be assigned to the customer for fraud reduction purposes and asks them to confirm the procedure by inputting the code sent to their current phone.

In the background the Trojan actually initiates a phone number change request, the SMS code received by the victim being the key to complete the process. Following a successful attack, the fraudsters gain the ability to transfer funds out of the account at will.

"This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof," Trusteer's Amit Klein warned.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," he added.

This is not the only method used by ZeuS and SpyEye gangs to steal mTANs, however. Another technique is to trick victims into installing a spyware application on their phones by passing it off as a component required by the bank. This is called a man-in-the-mobile (MitMo) attack.

Users should check the authenticity of all announcements received through online banking systems by calling the corresponding financial institution over the phone, especially if those messages ask them to perform certain actions.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudinternetmobile securityfinancetelecommunicationscamsspywareindustry verticalsInternet-based applications and servicesAccess control and authenticationExploits / vulnerabilitiesTrusteerDesktop security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?