“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.” said Amit Klein Trusteer’s CTO.

Malware post-transaction attack in detail

Step 1: Malware post-login attack – credentials stolen

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2: Fraudster commits fraudulent activity

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware post-transaction attack with fraud hidden from view

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

via SpyEye Trojan post transaction fraud schemes attack banks.

This month, the criminals behind the reincarnation of Zeus, known as SpyEye, found another way to circumvent the security measures introduced by some online banks. Researchers at financial security firm Trusteer documented a variant of SpyEye that has the ability to infect a computer, steal the victim’s logon credentials, and change the phone number that the bank uses to confirm transactions. It’s the latest update to an attack that, among other tactics, infected the mobile phone to which banks would send text messages to confirm transactions.

“This attack is much stronger than what we had seen before,” says Mickey Boodaei, CEO of Trusteer. attack is

via Banking Trojans Adapting To Cheat Out-of-Band Security – Dark Reading.

[..] Dmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. “SpyEye could not intercept the cached html-code,” Tarakanov wrote in an e-mail. “So the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye. [..] “

via SpyEye and Zeus Malware: Married Or Living Separately? | threatpost.

THN : The Hacker News. : A Russian cybergang headed by a mysterious ringleader called ‘Soldier’ were able to steal $3.2 million (£2 million) from US citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported and Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered. The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

“His botnet was able to compromise approximately 25,394 systems between April 19, 2011 and June 29, 2011. And while nearly all of the victims were located in the US, there were a handful of victims spread across another 90 countries,” it said in a blog post.

[…]

Some blogs, stories, and white papers that covered SpyEye have been released but none of them really talked about the interface and how criminals may be using it.

The actual interface is broken down into two components. The first component is the front-end interface called “CN 1” or “Main Access Panel.” This interface is where the bot master can interact with the bots. It shows statistics in relation to infected machines.

The second interface is more like the back end and is called “SYN 1” or “Formgrabber Access Panel.” This interface actually collects and logs data. Moreover, it also allows the bot master to make queries against the collected data and to view the stolen data through the interface. In this post, the first one in a two-post series, we will first look at CN 1 and how it may be used.

[..]

via The SpyEye Interface, Part 1: CN 1 | Malware Blog | Trend Micro.

Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel picture above, feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and making purchases.

via SpyEye Botnet’s Bogus Billing Feature — Krebs on Security.

During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.

[..]

These screenshots clearly show the constant improvements that bot control panels undergo. As shown here, cybercriminals are finding newer means to automate money transfer.

via One Server, Multiple Botnets | Malware Blog | Trend Micro.

We were able to further investigate a command-and-control C&C server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

via Uncovered Spyeye C&C Server Targets Polish Users | Malware Blog | Trend Micro.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature.

via Symantec Connect.

Not to be outdone, the SpyEye author now claims his malware builder also includes a hardware lock, using VMProtect, a Russian commercial software protection package.

via SpyEye vs. ZeuS Rivalry — Krebs on Security.