Attackers used the infamous SpyEye Trojan to target Verizon’s online billing page for nearly a week earlier this month, trying to nab users’ sensitive personal and financial information, researchers say.
The Trojan used a method of attack known as HTML injection to modify the pages presented in a victim’s browser. The malware waits for Verizon customers to login to their online billing page and then injects a convincing replica page requesting credit card related data. As the victim is already logged in they have no reason to suspect foul play, according to a blog post by Trusteer CTO Amit Kiein.
Specifically, SpyEye is attempting to capture the names, addresses, phone types and numbers, email addresses, countries of citizenship, Social Security numbers, dates of birth, mother’s maiden names, card numbers, expiration dates, and CVVs of its victims.
A spokesman for Verizon stressed that the company’s site was not infected by the Trojan; instead it was the users’ PCs that were infected by SpyEye, which was simply waiting for the users to visit specific sites including the Verizon’s.
“No Verizon sites were infected, hacked or otherwise compromised. Again, no Verizon store or repository of Verizon consumer information has been compromised in any way. Instead, end users whose PCs are infected with SpyEye and who type credit card or other similar information on those infected PCs may have had that personal information stolen by cyber criminals because those users’ computers are infected and thus compromised. There are no silver bullets, but common anti-virus software like Symantec and McAfee can detect and protect PCs from most SpyEye infections as well as from infection by other malicious code,” Alberto Canal of Verizon said in an email statement.
These sorts of attack aren’t necessarily new, but according to Trusteer, they are indicative of a shift away from those that target individuals to steal their user names and passwords. More and more, attackers are targeting consumer machines, call center computers, or point of sale systems, in order to steal payment and credit card data that they then use to “commit non card present fraud.”
This trend exposes a major flaw in Payment Card Industry Data Security Standards. According to Klein, these standards only require that endpoints run AV software, but Klein recommends that enterprises should consider implementing end-user education and browser based security tools to supplement back end risk and fraud management systems.