blog trackingRealtime Web Statistics SpyEye Archives - Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘SpyEye’

Banking malware SpyEye steals info by hijacking webcams and mics

SpyEye is a computer Trojan horse that specifically targets online banking users. Like its older cousin, Zeus, SpyEye is no longer being developed by its original author, but is still widely used by cybercriminals in their operations, according to Kaspersky Lab. View full post on…

View full post on National Cyber Security

Banking malware SpyEye steals info by hijacking webcams and mics

SpyEye is a computer Trojan horse that specifically targets online banking users. Like its older cousin, Zeus, SpyEye is no longer being developed by its original author, but is still widely used by cybercriminals in their operations, according to Kaspersky Lab. View full post on…

View full post on National Cyber Security

AhnLab Warns of Rising SpyEye Malicious Code Threat in US

AhnLab, Inc. (www.ahnlab.com),
a leading provider of integrated security solutions, today announced
that its research has identified a significant majority of the domains
and hosts for the SpyEye Banking Trojan are in the US. The malicious
code has gained attention as of late for the threat it poses to online
banking user information.

According to SpyEye-relevant host data extracted by the AhnLab Packet
Center, 48% of all SpyEye domains were found to be located in the US,
followed by Russia at 7%, and the Ukraine at 6%. The AhnLab Packet
Center is the company’s malicious packet analysis system, which assesses
suspicious packet data, including that from SpyEye CC servers. The
findings indicate that the main targets of SpyEye are mainly in the US,
and that North American financial institutions and users should remain
especially vigilant.

Since its toolkit first became public in 2010, the SpyEye Trojan has
produced many variants. According to analysis by the AhnLab Packet
Center, the “10310” variant was identified as the most distributed
version at 34.5%. The “10299” and “10290” variants followed at 14.7% and
14.6%, respectively. Additional variants are expected in the future.

SpyEye, along with ZeuS, are notorious banking Trojans that have helped
thieves steal more than $100 million around the world. Without an
end-user PC solution, banks face great difficulty protecting individual
customers from the sophisticated threats posed by these malicious codes.
AOS ensures comprehensive transaction security with its Anti-keylogger,
Firewall and Anti-virus/spyware agents for individual user PCs, as well
as Secure Browser which creates an independent online space for safe
communication. With AOS’ unique approach to transaction security, banks
are able to deliver complete peace of mind to their online customers.

The four components of the AhnLab Online Security (AOS) solution,
designed to protect the entire transaction process, include:

AOS Secure Browser: Provides a dedicated security browser that creates
an independent and protected environment for online transactions. It
secures user banking data against Man-In-The-Browser (MITB) attacks such
as SpyEye and ZeuS, memory hacking, webpage alteration, HTML injection,
cross-site scripting (XSS), browser help object (BHO) hacking, screen
capturing, debugging, and reverse engineering.

AOS Anti-keylogger: Delivers the protection needed to keep account
information safe and prevent theft of personal banking data during input
via a keyboard.

AOS Firewall: Protects the user by detecting and blocking unauthorized
intrusions and hacking attempts and preventing the leakage of personal
information.

AOS Anti-virus/spyware: Secures online transactions against the latest
malicious codes with AhnLab’s cloud based security technology known as
ASD (AhnLab Smart Defense).

Several of the world’s most famous banks including Citibank Korea,
Banamex, Banco Santander and Cornerstone Community Bank have selected
AhnLab Online Security to keep their online banking environment safe
from sophisticated security threats, today. For more information about
AhnLab’s AOS solution, please visit: http://aos.ahnlab.com

[Appendix]

* Established in 2010, AhnLab Packet Center is AhnLab’s automated packet
data analysis system. With more than 25 million files of malicious
packet, APC predicts threats at the network level through analysis of
the connection among given data. During the early stages of a nationwide
DDoS attack that hit Korea on 4 March 2011, the AhnLab Packet Center
successfully minimized damage by tracing the distribution points of
malicious codes through reverse engineering.

About AhnLab, Inc.

Headquartered in South-Korea, AhnLab Inc. (KRX:053800) develops
industry-leading security solutions and provides professional services
that are designed to secure and protect critical business and personal
information. As a leading innovator in the information security arena
since 1988, AhnLab’s cutting edge products and services have been
fulfilling the stringent security requirements of both enterprises and
individual users. AhnLab’s products and services include anti-virus
solutions, network, mobile and online game security, security management
and consulting services. Today, AhnLab boasts a network of sales and
research operations in more than 20 countries worldwide.

Article source: http://news.yahoo.com/ahnlab-warns-rising-spyeye-malicious-code-threat-us-120000766.html

View full post on National Cyber Security » Spyware/ Cyber Snooping

SpyEye banking malware learns to cover its tracks

Takeaway: SpyEye banking malware has added a new feature to its arsenal that takes advantage of “paperless” statements by hiding the fact that your bank account has been compromised.

The infamous SpyEye banking Trojan has a new trick up its sleeve: a feature that keeps fraud victims in the dark as it drains their banking accounts. According to PCWorld, by using a technique called HTML injection, banking customers are tricked into divulging account information. Once SpyEye accesses the account, it can now hide fraudulent transfers of money by displaying an inaccurate bank balance. In a blog post, security firm Trusteer explains:

… the malware hides (”replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place.

Security News Daily notes that so far the Trojan is targeting victims in the United States and the UK. Of course, paper statements would reveal the thievery, but the push of many banks to go paperless could mean the crime would go undetected for months. Sophos’ Naked Security blog offers two simple, but often over-looked, tips to protect against the new and improved SpyEye:

  1. Keep browsers and antivirus software up to date.
  2. Make sure your browser’s anti-phishing feature is turned on.

Also see:

Article source: http://www.techrepublic.com/blog/security/spyeye-banking-malware-learns-to-cover-its-tracks/7227

View full post on National Cyber Security » Virus/Malware/Worms

SpyEye bank Trojan picks up new fraud hiding tricks

A powerful bank fraud software program, SpyEye, has been seen with a feature designed to keep victims in the dark long after fraud has taken place, according to security vendor Trusteer.

SpyEye is notable for its ability to inject new fields into a web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance.

Trusteer noticed that SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. The latest feature is designed with the same goal of keeping users unaware of fraud. The next time users log into their bank accounts, SpyEye will check its records to see what fraudulent transactions were made with the account, then simply delete them from the web page, said Amit Klein, Trusteer’s CEO. The account balance is also altered.

It appears that SpyEye has borrowed more from Zeus, a famous piece of banking malware that is now commonly available and considered the parent of SpyEye. The two pieces of malware were competitors, but in 2010 merged. Zeus also has the capability to hide its fraudulent transactions from victims.

“Zeus uses the stored balance details to inject into the same page at a later time to persistently hide the fact that money was fraudulently transferred from the user’s account,” according to a September 2011 report by Ryan Sherstobitoff, an independent security researcher, in the Information Systems Security Association Journal.

Trusteer has seen the technique used when a fraudster uses SpyEye to capture a person’s debit card details. When those details are obtained, the fraudster conducts a purchase over the web or phone, and SpyEye masks the transaction, Klein said. It does not affect, however, the bank’s ability to see the fraud, he said.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1b8aab3f/l/0Lnews0Btechworld0N0Csecurity0C33278940Cspyeye0Ebank0Etrojan0Epicks0Eup0Enew0Efraud0Ehiding0Etricks0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

SpyEye Malware Borrows Zeus Trick to Mask Fraud

A powerful bank-fraud software program, SpyEye, has been seen with a feature designed to keep victims in the dark long after fraud has taken place, according to security vendor Trusteer.

SpyEye is notable for its ability to inject new fields into a Web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance.

Trusteer noticed that SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. The latest feature is designed with the same goal of keeping users unaware of fraud. The next time users log into their bank accounts, SpyEye will check its records to see what fraudulent transactions were made with the account, then simply delete them from the Web page, said Amit Klein, Trusteer’s CEO. The account balance is also altered.

It appears that SpyEye has borrowed more from Zeus, a famous piece of banking malware that is now commonly available and considered the parent of SpyEye. The two pieces of malware were competitors, but in 2010 merged. Zeus also has the capability to hide its fraudulent transactions from victims.

“Zeus uses the stored balance details to inject into the same page at a later time to persistently hide the fact that money was fraudulently transferred from the user’s account,” according to a September 2011 report by Ryan Sherstobitoff, an independent security researcher, in the Information Systems Security Association Journal.

Trusteer has seen the technique used when a fraudster uses SpyEye to capture a person’s debit card details. When those details are obtained, the fraudster conducts a purchase over the Web or phone, and SpyEye masks the transaction, Klein said. It does not affect, however, the bank’s ability to see the fraud, he said.

Send news tips and comments to jeremy_kirk@idg.com

Article source: http://www.pcworld.com/businesscenter/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html

View full post on National Cyber Security » Virus/Malware/Worms

SpyEye online banking Trojan stealing customer text messages

Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

“The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks,” said Amit Klein, Trusteer’s chief technology officer.

“This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge,” he warned.

Top threat

In a recent report, Trusteer named SpyEye and ZeuS as the most serious threats faced by financial institutions and their customers. These banking Trojans are capable of executing what are known as man-in-the-browser attacks by injecting rogue code into websites displayed on the computers they infect.

This allows them, for example, to modify forms on online banking websites by adding fields to capture sensitive data or to hide the real account balance after an unauthorised transaction was performed so the account owner doesn’t notice.

Fortunately, for the last couple of years more and more banks have wised up to such techniques and countered them by introducing additional security checks. One of them requires account holders to confirm that they initiated a transaction by inputting a one-time code sent to their mobile phone via SMS.

These restrictions forced banking Trojan creators to come up with methods of obtaining mobile transaction authorisation numbers (mTANs) and changing the phone number on record is one of them.

Once a user logs into their online banking account from a computer infected with the new SpyEye variant, they receive an alert which appears to come from the bank and informs them of a new security requirement.

The fake message claims that a unique telephone number will be assigned to the customer for fraud reduction purposes, and asks them to confirm the procedure by inputting the code sent to their current phone.

In the background the Trojan actually initiates a phone number change request, the SMS code received by the victim being the key to complete the process. Following a successful attack, the fraudsters gain the ability to transfer funds out of the account at will.

No wall too high

“This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not foolproof,” Trusteer’s Amit Klein warned. “Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems.”

This is not the only method used by ZeuS and SpyEye gangs to steal mTANs, however. Another technique is to trick victims into installing a spyware application on their phones by passing it off as a component required by the bank. This is called a man-in-the-mobile attack.

Users should check the authenticity of all announcements received through online banking systems by calling the corresponding financial institution over the phone, especially if those messages ask them to perform certain actions.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/191a07be/l/0Lnews0Btechworld0N0Csecurity0C330A92430Cspyeye0Eonline0Ebanking0Etrojan0Estealing0Ecustomer0Etext0Emessages0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

SpyEye malware toolkit hits Android devices


The SpyEye malicious toolkit, which has made botnets out of computers running Microsoft’s Windows operating system, now threatens devices running Google’s Android as well.

Computer security firm Sophos said SpyEye, designed to steal banking credentials and confidential data, appeared to make the Android version some months after “competitor” Zeus did so.

“When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorization,” Sophos said in a blog post.

SpyEye will not include an icon which would be displayed in the “All apps” menu- a user will only find the package when “Manage Applications” is launched from the mobile device’s settings.

Also, the application uses the display name “System” so that it seems like a standard Android system application.

The SpyEye for Android will be detected by Sophos products as Andr/Spitmo-A.

“It also seems that support for Android is increasingly becoming an important part of their product strategy,” Sophos said.

Avoiding detection

Sophos said the malware will use different tactics to reinforce user’s opinion that it is a legitimate application.

It applies for the following permissions Android permission:

This allows the malware to intercept outgoing phone calls.

When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions.

If the number matches, Spitmo displays a fake activation number, which is always 251340.

Sophos also said a broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request.

The submitted information includes the sender’s number and the full content of the message. — TJD, GMA News

Article source: http://www.gmanews.tv/story/232704/technology/spyeye-malware-toolkit-hits-android-devices

View full post on National Cyber Security » Virus/Malware/Worms

Gregory Evans | LinkedIn

Interview With Gregory Evans

Gregory Evans Security Expert

Gregory Evans on Cyber Crime

SpyEye malware tookit hits Android devices

The SpyEye malicious toolkit, which has made botnets out of computers running Microsoft’s Windows operating system, now threatens devices running Google’s Android as well.

Computer security firm Sophos said SpyEye, designed to steal banking credentials and confidential data, appeared to make the Android version some months after “competitor” Zeus did so.

“When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorization,” Sophos said in a blog post.

SpyEye will not include an icon which would be displayed in the “All apps” menu- a user will only find the package when “Manage Applications” is launched from the mobile device’s settings.

Also, the application uses the display name “System” so that it seems like a standard Android system application.

The SpyEye for Android will be detected by Sophos products as Andr/Spitmo-A.

“It also seems that support for Android is increasingly becoming an important part of their product strategy,” Sophos said.

Avoiding detection

Sophos said the malware will use different tactics to reinforce user’s opinion that it is a legitimate application.

It applies for the following permissions Android permission:

action name=“android.provider.Telephony.SMS_RECEIVED” /
action name=“android.intent.action.NEW_OUTGOING_CALL” /

This allows the malware to intercept outgoing phone calls.

When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions.

If the number matches, Spitmo displays a fake activation number, which is always 251340.

Sophos also said a broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request.

The submitted information includes the sender’s number and the full content of the message. — TJD, GMA News

Article source: http://ph.news.yahoo.com/spyeye-malware-tookit-hits-android-devices-111009065.html

View full post on National Cyber Security » Virus/Malware/Worms

SpyEye Trojan stole $3.2 million from US victims

A Russian cybergang headed by a mysterious ringleader called ‘Soldier’ were able to steal $3.2 million (£2 million) from US citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported.

Over a six month period from January 2011, Trend found that the Soldier gang had been able to compromise a cross-section of US business, including banks, airports, research institutions and even the US military and Government, as well as ordinary citizens.

A total of 25,394 systems were infected between 19 April and 29 June alone, 57 percent of which were Windows XP systems with even Windows 7 registering 4,500 victim systems.

The company has not explained how the sum of $3.2 million was taken, nor from which types of user, but accounts across a wide range of applications were found to have been compromised. The three largest by some margin were Facebook, Yahoo and Google, but eBay, Amazon, PayPal and Skype also appear on the list.

“’Soldier’ has mainly targeted US users and to increase the number of successful infections achieved in the US, he even bought US traffic from other cybercriminals. Besides using malware to steal money from the compromised accounts, he also steals user security credentials,” Trend Micro said.

“Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern.”

Banking Trojans such as SpyEye and the older Zeus (possibly now merged with SpyEye) have been one of the malware stories of the last year, and have featured in a number of high-profile online crime cases.

In the UK this included a teen gang said to have stolen as much as £12 million ($18 million) from a range of activities including online bank fraud. Earlier in 2010, a separate gang using Zeus was able to steal up to £20 million ($30 million), police believe.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1866f845/l/0Lnews0Btechworld0N0Csecurity0C330A38720Cspyeye0Etrojan0Estole0E320Emillion0Efrom0Eus0Evictims0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

Page 1 of 212»

Get The New Book By Gregory Evans

Everyone Is Talking About!

Are You Hacker Proof?
$15.95

Find Out More, Click Here!