Underground developers for the two major banking Trojans, Zeus and SpyEye, have honed their techniques for automated theft to the point that even two-factor authentication can be bypassed easily and automatically, according to a report released by Trend Micro this week.
The evolution of the banking Trojans heralds tough times ahead for financial institutions, the firm says. Banks have relied on additional factors of security, such as one-time password tokens, to hinder the efforts of online thieves, according to the report.
While cyber-criminals have been able to get around the defensive measures, they had to monitor the attacks in real time. The evolving ability of the programs to steal money automatically through what Trend calls “automated transfer systems” means that banks stand to lose more money.
The capability is not a new feature, but functionality that is evolving over time. Cyber-criminals use Zeus and SpyEye to steal money from the accounts of victims whose computers had been infected with malware created by the toolkits.
Initially, banks started using two-factor authentication to stop the banking Trojans from transferring money. Key fobs that create a new six-digit passcode every 30 seconds, or text messaging a secret code to a consumer’s phone, stopped early thieves from transferring money.
However, cyber-criminals were not daunted. They quickly moved to compromising the browser, monitoring communications and modifying transactions on the fly and hiding them from the victim’s view. Known as a man-in-the-browser attack, the technique allows online thieves to continue to steal money but they had to monitor the system to be able to use the time-dependent passcode before it expired.
“Time is critical,” said Kellerman. “The reason that two-factor authentication is successful against hackers is because it’s time-dependent and it is something you know. Attackers eliminated the time variable because they can do it in real time.”
With the capabilities to automate the transfers using custom modules that can anticipate the target bank’s security checks, criminals are now back to the good old days, where money can be transferred automatically and in smaller amounts that may not set off the financial institution’s alarms.
As the developers continue to improve their code, defenders will need to come up with new ways of slowing down the theft.
“It’s about a level of sophistication that is consistently growing and outpacing our defensive mechanisms,” said Kellerman. “This is not about one attack or one campaign but about full automation for stuff that used to take days and lots of time.”
Are you an expert on social networks? Take our quiz.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
I don’t think that we can say the 2FA has been cracked. Because to me when you say cracked it means it can be used on a wide scale attack and at any time. That is not the case. This is talking real time hacking, which is not considered to be large scale hacking. With many of the big global online banking sites have moved to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice, this is still the safest option available.