Trusteer has reported a recent attack targeting Verizon customers. Malware on the victim's computer injects a fake billing page after you've logged into your account. That page requests personal financial details which are then sent to the attacker and used for credit card fraud. According to Trusteer, the phished details include:
- First name, last name
- Street address, City, state, zip
- Phone number, phone type
- Email address
- Country of citizenship
- Social security number
- Date of Birth
- Mother's maiden name
- Card number, expiration date and CVV
It pays to be suspicious of any request for personal information, even if it's coming directly from your online banking site. If you ever encounter such a request while banking online, close your browser and contact your bank in person or via a known trusted phone number and ask if the request was legitimate. Do not call using a phone number provided on the request form - if it is a phishing attempt that phone number will likely direct you to a criminal call center and not the actual bank.
The SpyEye trojan uses rootkit technology to hide its presence on the infected computer. SpyEye also disables or interferes with antivirus and other security software to further prevent detection. The SpyEye trojan includes a keylogger to capture keystrokes typed on infected computers. SpyEye launches a man-in-the-browser attack, injecting the malware into Internet Explorer, Firefox, Chrome and Opera.
The man-in-the browser attack enables SpyEye to intercept and modify Web pages on the fly as well as inject new pages. It's like having a middleman sitting in your browser handling all your requests. So instead of going directly to a website address you type in, that middleman can modify the request and send you to a completely different site, or it can modify the Web page before it delivers it back to you - inserting malicious content in the process.
The SpyEye trojan is typically delivered via the Web, either by sending a malicious link via email (or IM, Twitter, etc.) or by compromising a legitimate website so that the legitimate website unwittingly delivers a "drive-by" infection when you visit that site. Controlling javascript from untrusted sites is one method that can prevent drive-by downloads. For example, Firefox users can install the free NoScript addon which will automatically disable javascript from all websites except those you explicitly allow.
How can NoScript, which I use, prevent delivery when done “by compromising a legitimate website so that the legitimate website unwittingly delivers a “drive-by” infection when you visit that site”. Users would assume the website is legitimate… I also use Trusteer Rapport on all websites with a login; again, if the legitimate website is compromised, how would one know since permissions must be granted in NoScript to reach your desired content? And the Government wants my medical and financial records in the clouds… Maybe we should all go back to quill and parchment.
Hi BT,
Generally the compromised site only acts as a conveyor – it doesn’t host the actual malware files. An external reference to the malware is inserted on the compromised site. So if you allow javascript on the compromised site, it will only apply to that site and not to the external bad site that is secretly being referenced.
A more in depth description is at the following link:
http://antivirus.about.com/od/securitytips/a/Website-Compromises-Understanding-Web-Malware.htm
In a nutshell, NoScript lets you use the legitimate site as you normally would, without fears of hidden scripts behind the scenes pulling malware from other sites.
My name is Alberto Canal, and I work for Verizon. I saw this story on SpyEye and Verizon and wanted to provide some important context.
It’s important to note that the SpyEye trojan is not caused by any problems with any Verizon owned or managed computer, system, or application.
No Verizon sites were infected, hacked or otherwise compromised. No Verizon store or repository of Verizon consumer information has been compromised in any way.
Instead, end users whose PCs are infected with SpyEye and who type credit card or other similar information on those infected PCs may have that personal information stolen by cyber criminals because those users’ computers are infected and thus compromised. There are no silver bullets, but common anti-virus software like Symantec and McAfee can detect and protect PCs from most SpyEye infections as well as from infection by other malicious code.