SpyEye Trojan attacks Verizon's online payment page

ronjor · May 18, 2011

Trusteer discovered a configuration of the SpyEye Trojan targeting Verizon’s online payment page and attempting to steal payment card information. The attack took place between May 7th and 13th.

Amit Klein, Trusteer's CTO explained that, “SpyEye uses a technique called “HTML injection” to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture the following credit card related data."

"The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is suspicious," Klein added.
Click to expand...

http://www.net-security.org/malware_news.php?id=1726

Triple Helix · May 18, 2011

Thanks Ron a real nasty! Prevx Blog: http://www.prevx.com/blog/168/SpyEye-the-infostealing-trojan-leader.html

TH

Rmus · May 19, 2011

Hi Ron and Triple Helix,

I'm a bit confused by the article: it appears to suggest that Verizon's payment page had been attacked.

But this article states that it's the customer's computer that was compromised by the trojan, which does the code injection:

Trusteer: SpyEye Trojan Targeting Verizon Customers
http://antivirus.about.com/b/2011/05/18/trusteer-spyeye-trojan-targeting-verizon-customers.htm

Malware on the victim's computer injects a fake billing page after you've logged into your account.
The SpyEye trojan uses rootkit technology to hide its presence on the infected computer.
Click to expand...

How do you see this?

thanks,

-rich

ronjor · May 19, 2011

The SpyEye trojan is typically delivered via the Web, either by sending a malicious link via email (or IM, Twitter, etc.) or by compromising a legitimate website so that the legitimate website unwittingly delivers a "drive-by" infection when you visit that site
Click to expand...

Looks like a couple of ways it can be delivered.

Baserk · May 19, 2011

Rmus said:

...
I'm a bit confused by the article: it appears to suggest that Verizon's payment page had been attacked.
...
Click to expand...

As far as I can understand, it's attacked from the consumer PC when visiting the payment page.
Afaict, the MITM/HTML injection is only happening from that PC and not in anyway from the payment system itself (which wouldn't be a MITM attack).

The Trusteer CTO Amit Klein statement further on, does leave some room for interpretation;
"Whether it’s on consumer machines, call center computers, or point of sale systems, attackers are targeting endpoints to steal readily available payment card data....", but I think that sentence was only aimed at the 'financial malware trend', mentioned in the article.

(I've emailed Trusteer, asking for a tad of clarification. Perhaps they'll respond).

Rmus · May 19, 2011

Baserk said:

As far as I can understand, it's attacked from the consumer PC when visiting the payment page.
Afaict, the MITM/HTML injection is only happening from that PC and not in anyway from the payment system itself (which wouldn't be a MITM attack).
Click to expand...

I think that this is the case. SpyEye gets onto the consumer's PC (by various methods) which then sets up the injection attack.

thanks,

-rich

Log in or Sign up

SpyEye Trojan attacks Verizon's online payment page

ronjor Global Moderator

Triple Helix Specialist

Rmus Exploit Analyst

ronjor Global Moderator

Baserk Registered Member

Rmus Exploit Analyst

Log in or Sign up

SpyEye Trojan attacks Verizon's online payment page

ronjor Global Moderator

Triple Helix Specialist

Rmus Exploit Analyst

ronjor Global Moderator

Baserk Registered Member

Rmus Exploit Analyst

Useful Searches