Underground developers for the two major banking Trojans, Zeus and SpyEye, have honed their techniques for automated theft to the point that even two-factor authentication can be bypassed easily and automatically, according to a report released by Trend Micro this week.
The evolution of the banking Trojans heralds tough times ahead for financial institutions, the firm says. Banks have relied on additional factors of security, such as one-time password tokens, to hinder the efforts of online thieves, according to the report.
While cyber-criminals have been able to get around the defensive measures, they had to monitor the attacks in real time. The evolving ability of the programs to steal money automatically through what Trend calls “automated transfer systems” means that banks stand to lose more money.
The capability is not a new feature, but functionality that is evolving over time. Cyber-criminals use Zeus and SpyEye to steal money from the accounts of victims whose computers had been infected with malware created by the toolkits.
Initially, banks started using two-factor authentication to stop the banking Trojans from transferring money. Key fobs that create a new six-digit passcode every 30 seconds, or text messaging a secret code to a consumer’s phone, stopped early thieves from transferring money.
However, cyber-criminals were not daunted. They quickly moved to compromising the browser, monitoring communications and modifying transactions on the fly and hiding them from the victim’s view. Known as a man-in-the-browser attack, the technique allows online thieves to continue to steal money but they had to monitor the system to be able to use the time-dependent passcode before it expired.
“Time is critical,” said Kellerman. “The reason that two-factor authentication is successful against hackers is because it’s time-dependent and it is something you know. Attackers eliminated the time variable because they can do it in real time.”
With the capabilities to automate the transfers using custom modules that can anticipate the target bank’s security checks, criminals are now back to the good old days, where money can be transferred automatically and in smaller amounts that may not set off the financial institution’s alarms.
As the developers continue to improve their code, defenders will need to come up with new ways of slowing down the theft.
“It’s about a level of sophistication that is consistently growing and outpacing our defensive mechanisms,” said Kellerman. “This is not about one attack or one campaign but about full automation for stuff that used to take days and lots of time.”
Are you an expert on social networks? Take our quiz.
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…
View Comments
I don’t think that we can say the 2FA has been cracked. Because to me when you say cracked it means it can be used on a wide scale attack and at any time. That is not the case. This is talking real time hacking, which is not considered to be large scale hacking. With many of the big global online banking sites have moved to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice, this is still the safest option available.