The SpyEye banking trojan has acquired the ability to reroute one-time passwords sent to victims' cellphones, a measure that bypasses protections more and more financial institutions are adopting.
According to a blog post published Wednesday by a researcher from security firm Trusteer, SpyEye was recently observed trying to trick victims into reassigning the cellphone number they use to receive one-time passwords from their banks by SMS, or short message service. The social-engineering ploy is contained in fraudulent pages injected into their online banking sessions that falsely claim they have been assigned a unique telephone number dedicated for that purpose and a special SIM card will be received in the mail shortly.
SpyEye injects this message (translated from Spanish) into some victims' online banking session.
“Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network,” Trusteer researcher Amit Klein wrote. “This allows them to use the SMS confirmation system to divert funds from the customer's account without their knowledge, while not triggering any fraud detection alarms.”
As the cost of online banking fraud has skyrocketed, many financial institutions have embraced the use of out-of-band authentication to reduce the effectiveness of SpyEye, ZeuS, and other trojans that steal online banking credentials entered into infected computers. The protections work by requiring customers to enter a one-time password sent by the bank to her phone before a large transaction is completed. The additional step often foils bank fraud even if a crook has the victim's user name and password.
In true cat-and-mouse fashion, malware developers have responded by building new features that bypass these countermeasures.
SpyEye, which recently merged with the ZeuS codebase, has been one of the leaders in figuring out new ways to defeat such countermeasures. Last month, SpyEye operators began bundling the it with malware that intercepts one-time passwords sent by SMS. SpyEye has been observed doing much the same thing to BlackBerry users, as well.
The fraudulent message claiming the cellphone number must be reassigned is injected into victims' online banking sessions by the SpyEye malware infecting their machines.