Banking malware spies on victims by hijacking webcams, microphones, researchers say
The SpyEye variant secretly films and records what victims say and do when they are being defrauded
IDG News Service - A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab.
SpyEye is a computer Trojan horse that specifically targets online banking users. Like its older cousin, Zeus, SpyEye is no longer being developed by its original author, but is still widely used by cybercriminals in their operations.
SpyEye's plug-in-based architecture allows third-party malware developers to extend its original functionality, Kaspersky Lab malware researcher Dmitry Tarakanov said in a blog post on Monday. This is exactly what happened with the new webcam and microphone spying feature, which is implemented as a SpyEye plug-in called flashcamcontrol.dll, Tarakanov said.
As suggested by the DLL's name, the malware accesses these two computer peripherals by leveraging Flash Player, which has webcam and microphone control functionality built in.
Under normal circumstances, users get prompted to manually allow websites to control their computers' webcam and microphone via Flash. However, the SpyEye plug-in silently whitelists a list of online banking websites by directly modifying Flash Player configuration files.
At first, the Kaspersky Lab researchers thought that this might be part of a scheme to bypass facial recognition systems used by some banks for secure authentication. However, after contacting the targeted organizations, they learned that none of them had any webcam-reliant features on their websites.
The Kaspersky researchers later found out, by analyzing a different SpyEye component, that the malware injects the webcam and microphone hijacking Flash content into the targeted online banking websites locally, when these sites are opened in a browser on the infected computers.
This is done by using an on-the-fly Web page manipulation technique that most banking malware, including SpyEye, also uses for displaying rogue messages and hiding legitimate content inside the browser.
Some banks require customers to confirm transactions initiated from their online accounts by typing secret codes sent to their mobile phones or generated by portable hardware tokens. Cybercriminals need these codes to steal money, so they commonly use social engineering to trick victims into exposing them.
In other cases, the banks will actually call their customers in order to authorize transactions over the phone and this is when having webcam and microphone spying abilities can be very useful to attackers. Such was the case with an Ecuadorian bank whose customers were targeted in the past by a different piece of malware that had this functionality, Tarakanov said.
During conversations with the bank's phone operators, customers can disclose very sensitive information about themselves and their accounts, for the purpose of verifying their identity. This information can include their mother's maiden name, their date of birth, their credit card and Social Security numbers, as well as their telephone personal identification number (TPIN), which is used for phone banking operations.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Binary Option: Neustar SiteProtect Case Study Learn how Neustar helped Top10optionbinaire.com protect against DDoS attacks with SiteProtect DDoS mitigation technology.
- Four Ways DNS Can Accelerate Business Growth This DNS eBook describes how DNS has developed over the years to support business growth as new needs have emerged, for example, advanced...
- Architecting the Network of the Future Networks need to change, as does the way IT thinks about and manages them. In addition to reliability, IT must now add higher...
- Ecommerce Site Needs Protection Against Cyber 'Pirate' Learn how a Neustar customer thwarted 'Blackbeard,' a self-styled DDoS Pirate. Using Neustar SiteProtect, a cloud-based DDoS mitigation service, this everyday IT hero...
- Tales from the Trenches - Industry Risks and Examples of DDoS Watch Neustar experts as they discuss how DDoS impacts technology companies including online gaming, e-commerce and more. All Network Security White Papers | Webcasts