Spyeye using MitB to make fraudulent transactions

Recently our e-crime team has discovered that Spyeye is using Man in the Browser (MitB) techniques in order to make fraudulent transactions. Thanks to MitB cybercriminals can make the transactions in the same banking online session as the real user, therefore they can do it in a quickly and clean way. I say clean because in the logs of the online banking application there won't be more IPs than the real user ones. It means less proofs in an hypothetical court against the bad guys, for example.

The whole MitB core was written in Javascript and the actions performed to make the fraudulent transaction are the following:

  • When the user goes to the accounts details screen the information (account number, type of account and balance) of all of them are grabbed and sent to the malicious server in a serialized array:

    ["maxCheck" = ["name" = "MY_ACCOUNT_NAME",
               "check" = "MY_ACCOUNT_NUMBER",
               "sum" = $$$],
    "allChecks" = [ 0 = ["name" = "MY_ACCOUNT_NAME",
    "check" = "MY_ACCOUNT_NUMBER",
    "sum" = $$$]


  • From all the possible accounts it's chosen like preferred the one with more money (maxCheck array).
  • Depending on the amount of money the server answers in a different way. If there is no much money it sends an empty response, otherwise it sends the details of one mule account. Besides this, the chosen mule is likely to change depending on money ranges, maybe to avoid detection by not usual transactions. A sample response could be this one:

    ["trans" = 1,
    "info" = [
    "check" = [0 = XXXX,
    1 = XXXX,
    2 = XX,
    3 = XXXXXXXXXX],
    "sum" = 493,
    "name" = "Peter",
    "address" = "12 street, nº1 1ºA",
    "city" = "NY",
    "coment" = "Transfer"]


  • When the trans variable was evaluated as True the transaction was executed and, transparently to the user, the legitimate form to make a transaction was requested to the banking server and it was filled in with the mule information. At this moment, the process was stalled, waiting for a crucial data from the user, the authentication required to perform transactions.
  • Like I've said, all the previous steps are transparent to the user, because he only sees the HTML injected code asking for his birthday date, email address and the authentication code. When the victim enters this code the transaction form is sent to the bank and the fraud is done.
  • In order to avoid the user noticing it there's some Javascript functions to hide the real balance, adding the stolen sum to it.

I hadn't seen this technique in a real case yet, only in a static way, and I can say that it's a good work, thinking about it from a programming perspective...;) However, I have to admit that from a normal user's one it can be really scary. It's even scarier if the binary detection is 20%.

In this case the affected entities were Spanish and the MitB was only implemented in one of them. In the code there were a lot of comments too - in some sections more than 15 lines - so I think they were making tests, successful tests...We'll be ready for more fun! ;)