Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft
Automated attack bypasses two-factor authentication
A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone.
Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS, for example.
More Security Insights
White PapersMore >>
"What we've seen in the last three months is significantly more advanced and the automation of bypassing two-factor authentication and perpetuating a man-in-the-browser attack," says Tom Kellermann, vice president of cybersecurity for Trend Micro. "It also has the capacity to move funds out of the [victim's] account so that the criminal doesn't have to sit there and wait or wait for communication from his bot. It's totally automated."
Kellermann says the fact that the bad guys have written such advanced tools to target the harder-to-crack European banking isn't "good tidings" for the U.S. "This could easily work on American [online banking systems]," which are not as stringent as European ones, he notes.
And with the ability to withdraw funds automatically, the attackers don't even need to use a money mule to transfer the funds unless they want to, he says. The malware targets Windows machines.
These types of attacks, however, are not new, says Amit Klein, CTO at Trusteer. "The concept is not new," he says. "We have seen this before, but not necessarily the framework" that Trend Micro has studied here, he says.
In one SpyEye attack Trusteer witnessed last fall against a Spanish bank, attackers waged a man-in-the-browser attack and put up a phony login page to bypass dual-factor authentication. Once the bank customer logged into his bank's website, the attacker pushed him a message about an "upgraded security system."
"The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears off into the sunset," Klein described in a blog post last fall.
Klein says the trouble with these types of attacks is that once the user's machine is infected, it's game over. "There are a lot of inherent assumptions in online banking. You assume that you can trust the browser and the user's machine to carry out the user's online activities," he says. But all of that goes out the window when man-in-the-browser malware gets injected into the picture, and typically unbeknown to the victim, he says.
[ The prolific Zeus Trojan has a new role: as a tool for breaking into online corporate payroll systems. See Zeus Trojan Targets Online Payroll Services Providers. ]
Trend Micro researchers found that while traditional man-in-the-browser attacks for online banking fraud use WebInject files to push pop-ups to victims that then steal their online credentials, the new ATS module for Zeus and SpyEye operates in the background and isn't visible. It conducts a wire transfer of the victim's stolen funds without alerting the victim at all.
It hides out and doesn't leave any trace that the malware or attacker was there in the account; as long as the user's machine is infected with the module, he won't see any of the fraudulent transactions in his account.
"We're going to see a huge spike in this commoditized attack code for man-in-the browser because ... it does everything for [the attacker]," Kellermann says. "You [the victim] don't see anything: When money is moved out of your account, you don't see it. You only see your transactions ... It's elegant."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.