SpyEye Trojan stole $3.2 million from US victims,Android users will be next target !

A Russian cybergang headed by a mysterious ringleader called ‘Soldier’ were able to steal $3.2 million (£2 million) from US citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported and Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered. The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

"His botnet was able to compromise approximately 25,394 systems between April 19, 2011 and June 29, 2011. And while nearly all of the victims were located in the US, there were a handful of victims spread across another 90 countries," it said in a blog post.

Over a six month period from January 2011, Trend found that the Soldier gang had been able to compromise a cross-section of US business, including banks, airports, research institutions and even the US military and Government, as well as ordinary citizens.A total of 25,394 systems were infected between 19 April and 29 June alone, 57 percent of which were Windows XP systems with even Windows 7 registering 4,500 victim systems.

Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern.
Victims included:

  • US Government (Local, State Federal)
  • US Military
  • Educational & Research Institutions
  • Banks
  • Airports
  • Other Companies (Automobile, Media, Technology)
  • C&C Infrastructure
Banking Trojans such as SpyEye and the older Zeus (possibly now merged with SpyEye) have been one of the malware stories of the last year, and have featured in a number of high-profile online crime cases.

Zeus for Android purports to be a version of Trusteer Rapport security software. This social engineering trick is used in an attempt to convince the user that the application they are installing is legitimate.SpyEye for Android, now detected by Sophos products as Andr/Spitmo-A, uses a slightly different but similar social engineering technique.

Spitmo was initially detected by F-Secure in April when a variant was used in an attack against a European bank - the Trojan added question fields to the bank's website, asking customers to enter their mobile phone number and the device's IMEI.Sean Sullivan, security advisor at F-Secure, said: “Spitmo.A contains the malicious executable (sms.exe) and another installer, which contains an executable named SmsControl.exe. SmsControl.exe will just display the message ‘Die Seriennummer des Zertifikats: Ü88689-1299F' to fool the user into thinking that the installer was indeed a certificate.“The name SmsControl.exe is quite a coincidence, as a variant of ZeusMitmo used the same name for the file containing the Trojan. Faking the Trojan to be a certificate is also a trick that ZeusMitmo has used. However, the code itself looks completely different than in ZeusMitmo.”

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.