Man-in-the-Middle (MITM) attacks are, sadly, not news these days; they are a fact of online life. But word of how the latest SpyEye Trojan-driven MITM attacks are using clever post transaction fraud systems to effectively erase the evidence of the crime from the victims' view certainly deserve to be.
Attacking online bank accounts in both the US and UK, the attacks were first spotted just before the seasonal holidays took hold by researchers at Trusteer, a security company which works with banks to protect customers from just such threats as MITM attacks. What is a MITM attack exactly? Well, simply put, think of it as when a bad guy manages to intercept your online communication with the bank and sit in the middle, between you and your bank. You think you have logged into your online bank account but have actually logged into a fake version of that page which is operated by the 'man in the middle' who grabs your login information and while an automated process is telling you that your password and username didn't match and asks you to repeat the login the bad guy is logging into your real bank account and making a transfer. When he's done, you get dropped back at the real bank site for another login attempt which will, of course, now work.
These kinds of attack have one flaw, and that is how easy and quickly the victim can spot the fraud: if they view their statement after logging in and see a large transaction has just been made and they didn't make it, then they will contact the bank and get that transaction revoked. Which is where the post transaction attack comes in to play.
Such attacks will typically occur in three phases: the launching of the MITM (or Man in the Browser if you prefer) attack itself during an online banking session and the capturing of debit card data using MITB malware configured to ask for debit card data including CVV2 number; the use of that data for fraudulent activity, most commonly cardholder-not-present purchases; and finally comes the clever bit, the post transaction attack launch itself. This latter phase is the interesting, and worrying, bit as the next time that victim logs in to their bank account those fraudulent transactions are effectively hidden from view.
The SpyEye Trojan configuration in question will automatically, and immediately, pass all details of the fraudulent transactions made during phase 2 into the malware control panel and this is then active and waiting for the victim to connect to their bank again. When they do the malware simply replaces the real transactional statement on view with a fake one that does not include those purchases and shows a balance that does not include them. The victim then has no idea that he or she has been robbed until they get a paper copy of their statement, assuming they still get them of course, or they receive an insufficient funds notification from the bank when making a genuine transaction of their own.
"Post transaction attacks are designed to conceal illegitimate activity for as long as possible" explains Trusteer CTO Amit Klein "to either allow money to transfer to its final destination - uninterrupted, or continue to control the account and perform further transactions."
Klein predicts that the use of such post transactional MITM attacks will "significantly increase" as they "enable criminals to maximise the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort as it is cheap to buy and easy to use."