Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

US, UK, Canada, Germany, and Australia now top of SpyEye’s target list

July 2011 by Trusteer

Research findings from the Trusteer Situation Room and our anomaly detection service Pinpoint indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye.

Analyzing the SpyEye command and control centers that our risk analysis team reviews every month revealed that 60% of the SpyEye bots target financial institutions in the US. This is followed by the UK with 53%, Canada with 31%, Germany 29%, and Australia 20%.

Interestingly enough, the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June.

Other destinations that are included in more than 10% of SpyEye bots include: Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia, and Portugal.

In addition, SpyEye continues to expand its “hit list”.

In May, SpyEye added targets in the Middle East including Saudi Arabia, Bahrain and Oman. While in June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru were attacked. Russia is also, Trusteer have observed, a relatively new addition to the target list.

It is interesting to note that the fraud patterns used by SpyEye are somewhat different than Zeus - and other financial malware. Specifically, our risk analysis teams have observed new code being incorporated into SpyEye that is designed to evade transaction monitoring systems.

Transaction monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

SpyEye developers appear to have figured how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems. SpyEye seems to follow agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers.

At certain times, Trusteer has even seen two new versions of the malware released every week. It’s important to note that there is a large difference between a new version and a simple variant of financial malware.

A new version means that the program code itself has been modified, while a new variant is just new packing around the same code.

Some of the changes our risk analysis teams are seeing include some very significant improvements to the core SpyEye technology. The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is - and who may be - on SpyEye’s target list.

SpyEye’s Rapid Rise to Prominence

Even though it seems a lot older, the SpyEye malware toolkit surfaced less than two years ago in December 2009.

Over the last 18 months, SpyEye has made a lot of headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code.

Right from the very beginning, SpyEye has been a highly aggressive Trojan - it is also interesting to note that early versions of the malware included a feature to remove Zeus from an infected host machine.

This feature was, of course, in place to ensure that SpyEye is the only financial malware on the infected computer.

Overall, Trusteer recommends that financial institutions monitor development in the SpyEye toolkit. They should pay close attention to SpyEye attack vectors that target their brand, as well as new SpyEye attacks that target other financial institutions.

The intelligence from this process should be included in the financial institution’s security controls such as anomaly detection and endpoint protection. The ability to react fast to SpyEye’s changes in pattern is, we believe, key to an effective fraud prevention architecture against this dangerous toolkit.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts