The research team at IBM recently uncovered a stealthy new attack carried out by the SpyEye Trojan that circumvents mobile SMS security measures implemented by many banks. Using code we captured while protecting an IBM Security Trusteer Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.

How SpyEye Breaches SMS Security

In the first step of the attack, SpyEye steals the victim’s online banking login details. This is standard operating procedure for financial malware like SpyEye, Zeus and others. The fraudsters can now access the victim’s account without raising any fraud-detection systems’ red flags.

In step two, SpyEye changes the victim’s phone number of record in the online banking application to one of several random attacker-controlled numbers. In order to complete this operation, the attacker needs the confirmation code, which is sent by the bank to the customer’s original phone number. To steal this confirmation code, the attacker uses the following social engineering scheme.

First, SpyEye injects a fraudulent page into the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now “required” by the bank for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail. Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number.

The following is a screen shot of the fraudulent page created by SpyEye that is presented to the customer (translated from Spanish to English):

Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This allows them to use the SMS confirmation system to divert funds from the customer’s account without their knowledge, while not triggering any fraud detection alarms.

Out-of-Band Is Not a Panacea

This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not foolproof. Using a combination of Man in the Browser (MitB) injection technology and social engineering, fraudsters can not only bypass OOBA but also buy themselves more time, since the transactions have been verified and fly under the radar of fraud-detection systems. The only way to defeat this new SMS security attack once a computer has been infected with SpyEye is by using endpoint security that blocks MitB techniques. Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…