Banking Trojans Crack Two-Factor Authentication

The Zeus and SpyEye cyber-criminal toolkits have been modified to automate the process of stealing from online bank accounts that use two-factor authentication

Underground developers for the two major banking Trojans, Zeus and SpyEye, have honed their techniques for automated theft to the point that even two-factor authentication can be bypassed easily and automatically, according to a report released by Trend Micro this week.

The evolution of the banking Trojans heralds tough times ahead for financial institutions, the firm says. Banks have relied on additional factors of security, such as one-time password tokens, to hinder the efforts of online thieves, according to the report.

Automation

While cyber-criminals have been able to get around the defensive measures, they had to monitor the attacks in real time. The evolving ability of the programs to steal money automatically through what Trend calls “automated transfer systems” means that banks stand to lose more money.

“A hacker had to be waiting around for the signal, and essentially be on point immediately when notified about a real two-factor authentication compromise by Zeus or SpyEye presence,” said Tom Kellerman, vice president of cyber-security for Trend Micro. “This automates all of that from the perspective of two-factor authentication.”

The capability is not a new feature, but functionality that is evolving over time. Cyber-criminals use Zeus and SpyEye to steal money from the accounts of victims whose computers had been infected with malware created by the toolkits.

Initially, banks started using two-factor authentication to stop the banking Trojans from transferring money. Key fobs that create a new six-digit passcode every 30 seconds, or text messaging a secret code to a consumer’s phone, stopped early thieves from transferring money.

However, cyber-criminals were not daunted. They quickly moved to compromising the browser, monitoring communications and modifying transactions on the fly and hiding them from the victim’s view. Known as a man-in-the-browser attack, the technique allows online thieves to continue to steal money but they had to monitor the system to be able to use the time-dependent passcode before it expired.

Real-time theft

“Time is critical,” said Kellerman. “The reason that two-factor authentication is successful against hackers is because it’s time-dependent and it is something you know. Attackers eliminated the time variable because they can do it in real time.”

With the capabilities to automate the transfers using custom modules that can anticipate the target bank’s security checks, criminals are now back to the good old days, where money can be transferred automatically and in smaller amounts that may not set off the financial institution’s alarms.

As the developers continue to improve their code, defenders will need to come up with new ways of slowing down the theft.

“It’s about a level of sophistication that is consistently growing and outpacing our defensive mechanisms,” said Kellerman. “This is not about one attack or one campaign but about full automation for stuff that used to take days and lots of time.”

Are you an expert on social networks? Take our quiz.