Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an event for the speakers and organizers to get to know each other and enjoy a beer with some tasty Asian cuisine. I was the representative of the S21sec e-crime team with a speech about banking Trojans.

The talks began on Wednesday the 15th and the agenda was divided into two tracks, one dedicated to technical themes and the other centred on the business world. The first day, the following themes (amongst others) were touched on: evaluation of necessary expenses in security, the application of the law in cybercrime matters, threat modelling, forensic memory analysis of Android’s Dalvik Virtual Machine and my speech about the evolution of fraud through banking Trojans.

Spyeye using MitB to make fraudulent transactions

Recently our e-crime team has discovered that Spyeye is using Man in the Browser (MitB) techniques in order to make fraudulent transactions. Thanks to MitB cybercriminals can make the transactions in the same banking online session as the real user, therefore they can do it in a quickly and clean way. I say clean because in the logs of the online banking application there won't be more IPs than the real user ones. It means less proofs in an hypothetical court against the bad guys, for example.

The whole MitB core was written in Javascript and the actions performed to make the fraudulent transaction are the following:

  • When the user goes to the accounts details screen the information (account number, type of account and balance) of all of them are grabbed and sent to the malicious server in a serialized array:

    ["maxCheck" = ["name" = "MY_ACCOUNT_NAME",
               "check" = "MY_ACCOUNT_NUMBER",
               "sum" = $$$],
    "allChecks" = [ 0 = ["name" = "MY_ACCOUNT_NAME",
    "check" = "MY_ACCOUNT_NUMBER",
    "sum" = $$$]


  • From all the possible accounts it's chosen like preferred the one with more money (maxCheck array).
Syndicate content