ARN

SpyEye steals banking codes by sending them to wrong phone

Circumvents mobile SMS security procedures

Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

"The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks," said Amit Klein, Trusteer's chief technology officer, in a blog post.

"This attack, when successful, enables the thieves to make transactions on the user's account and confirm the transactions without the user's knowledge," he warned.

In a recent report, Trusteer named SpyEye and ZeuS as the most serious threats faced by financial institutions and their customers. These banking Trojans are capable of executing what are known as man-in-the-browser attacks by injecting rogue code into websites displayed on the computers they infect.

This allows them, for example, to modify forms on online banking websites by adding fields to capture sensitive data or to hide the real account balance after an unauthorized transaction was performed so the account owner doesn't notice.

Fortunately, for the last couple of years more and more banks have wised up to such techniques and countered them by introducing additional security checks. One of them requires account holders to confirm that they initiated a transaction by inputting a one-time-use code sent to their mobile phone via SMS.

These restrictions forced banking Trojan creators to come up with methods of obtaining mobile transaction authorization numbers (mTANs) and changing the phone number on record is one of them.

Once a user logs into their online banking account from a computer infected with the new SpyEye variant, they receive an alert which appears to come from the bank and informs them of a new security requirement.

The fake message claims that a unique telephone number will be assigned to the customer for fraud reduction purposes and asks them to confirm the procedure by inputting the code sent to their current phone.

In the background the Trojan actually initiates a phone number change request, the SMS code received by the victim being the key to complete the process. Following a successful attack, the fraudsters gain the ability to transfer funds out of the account at will.

"This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof," Trusteer's Amit Klein warned.

"Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems," he added.

This is not the only method used by ZeuS and SpyEye gangs to steal mTANs, however. Another technique is to trick victims into installing a spyware application on their phones by passing it off as a component required by the bank. This is called a man-in-the-mobile (MitMo) attack.

Users should check the authenticity of all announcements received through online banking systems by calling the corresponding financial institution over the phone, especially if those messages ask them to perform certain actions.