Recently
our e-crime team has discovered that Spyeye is using Man in the Browser (MitB) techniques in order to make fraudulent transactions. Thanks to MitB cybercriminals can make the transactions in the same banking online session as the real user, therefore they can do it in a quickly and clean way. I say clean because in the logs of the online banking application there won't be more IPs than the real user ones. It means less proofs in an hypothetical court against the bad guys, for example.
The whole MitB core was written in Javascript and the actions performed to make the fraudulent transaction are the following:
- When the user goes to the accounts details screen the information (account number, type of account and balance) of all of them are grabbed and sent to the malicious server in a serialized array:
["maxCheck" = ["name" = "MY_ACCOUNT_NAME",
"check" = "MY_ACCOUNT_NUMBER",
"sum" = $$$],
"allChecks" = [ 0 = ["name" = "MY_ACCOUNT_NAME",
"check" = "MY_ACCOUNT_NUMBER",
"sum" = $$$]
]
]
- From all the possible accounts it's chosen like preferred the one with more money (maxCheck array).
