Zeus/SpyEye Automatic Transfer Module Masks Online Banking Theft

  /     /     /  
Publicated : 22/11/2024   Category : security


Zeus/SpyEye Automatic Transfer Module Masks Online Banking Theft


Automated attack bypasses two-factor authentication



A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims cant see losses or traces of the theft until long after the money is gone.
Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victims account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS, for example.
What weve seen in the last three months is significantly more advanced and the automation of bypassing two-factor authentication and perpetuating a man-in-the-browser attack, says Tom Kellermann, vice president of cybersecurity for Trend Micro. It also has the capacity to move funds out of the [victims] account so that the criminal doesnt have to sit there and wait or wait for communication from his bot. Its totally automated.
Kellermann says the fact that the bad guys have written such advanced tools to target the harder-to-crack European banking isnt good tidings for the U.S. This could easily work on American [online banking systems], which are not as stringent as European ones, he notes.
And with the ability to withdraw funds automatically, the attackers dont even need to use a money mule to transfer the funds unless they want to, he says. The malware targets Windows machines.
These types of attacks, however, are not new, says Amit Klein, CTO at Trusteer. The concept is not new, he says. We have seen this before, but not necessarily the framework that Trend Micro has studied here, he says.
In one SpyEye attack Trusteer witnessed last fall against a Spanish bank, attackers waged a man-in-the-browser attack and put up a phony login page to bypass dual-factor authentication. Once the bank customer logged into his banks website, the attacker pushed him a message about an upgraded security system.
The customer is invited to go through a training process that intends to help him/her deal with the banks upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the users account will not be debited and the recipients account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears off into the sunset, Klein
described in a blog post last fall
.
Klein says the trouble with these types of attacks is that once the users machine is infected, its game over. There are a lot of inherent assumptions in online banking. You assume that you can trust the browser and the users machine to carry out the users online activities, he says. But all of that goes out the window when man-in-the-browser malware gets injected into the picture, and typically unbeknown to the victim, he says.
[ The prolific Zeus Trojan has a new role: as a tool for breaking into online corporate payroll systems. See
Zeus Trojan Targets Online Payroll Services Providers
. ]
Trend Micro researchers found that while traditional man-in-the-browser attacks for online banking fraud use WebInject files to push pop-ups to victims that then steal their online credentials, the new ATS module for Zeus and SpyEye operates in the background and isnt visible. It conducts a wire transfer of the victims stolen funds without alerting the victim at all.
It hides out and doesnt leave any trace that the malware or attacker was there in the account; as long as the users machine is infected with the module, he wont see any of the fraudulent transactions in his account.
Were going to see a huge spike in this commoditized attack code for man-in-the browser because ... it does everything for [the attacker], Kellermann says. You [the victim] dont see anything: When money is moved out of your account, you dont see it. You only see your transactions ... Its elegant.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zeus/SpyEye Automatic Transfer Module Masks Online Banking Theft