|Subtype||keylogger, form grabber|
|Point of origin||Russia|
|Author(s)||Aleksandr Andreevich Panin, Hamza Bendelladj|
SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.
SpyEye has the ability to insert new fields and alter existing fields when a compromised user's browser displays a web page, allowing it to prompt for user names, passwords, or card numbers, thereby giving hackers information that allows them to steal money without account holders ever noticing. It can save the user's false balance (with fraudulent transactions hidden) so that the next time the user logs in, the fraudulent transactions and real balance are not displayed in the user's browser (though the bank still sees the fraudulent transactions.)
SpyEye emanated from Russia in 2009 and was sold in underground forums for $500+ in which SpyEye advertised features such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), Zeus killer, HTTP access, POP3 grabbers and FTP grabbers.
Target users and institutions in the United States, United Kingdom, Mexico, Canada and India were the largest victims of SpyEye; the United States made up 97% of the institutions that fell victim of this malware.
Authors of SpyEye
It is believed that the creator of Zeus said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan; those same experts warned the retirement was a ruse and expect the developer to return with new tricks.
In 2016, Aleksandr Andreevich Panin, author of SpyEye, was arrested and sentenced to nine years and six months in prison.
Hamza Bendelladj, co-author of SpyEye, was arrested and also sentenced to prison with a combined sentence of 24+ years for both Hamza and Panin; both men were charged for stealing hundreds of millions of dollars from banks all around the world.
- Krebs, Brian (2011-04-26). "SpyEye Targets Opera, Google Chrome Users". Krebs on Security. Retrieved 2020-07-09.
- "Trojan: Win32/Spyeye". www.microsoft.com. 2011-06-14. Retrieved 2020-07-09.
- Kirk, Jeremy (2011-07-26). "SpyEye Trojan defeating online banking defenses". Computerworld. Retrieved 2020-07-09.
In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions, said Mickey Boodai, Trusteer's CEO. Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at on the site, the amount of time a person spends on a page and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami area suddenly logs in from St. Petersburg, Russia. SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the website. That's a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic -- albeit in an automated way -- how a real person would navigate a website.
- Kirk, Jeremy (2012-01-04). "SpyEye Malware Borrows Zeus Trick to Mask Fraud". PC World. Retrieved 2020-07-09.
SpyEye is notable for its ability to inject new fields into a Web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance. Trusteer noticed that SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. The latest feature is designed with the same goal of keeping users unaware of fraud. The next time users log into their bank accounts, SpyEye will check its records to see what fraudulent transactions were made with the account, then simply delete them from the Web page, said Amit Klein, Trusteer's CEO. The account balance is also altered.
- Coogan, Peter (2010-02-04). "SpyEye Bot versus Zeus Bot". Symantec Official Blog. Retrieved 2020-07-09.
- Irinco, Bernadette (2011-09-14). "Trend Micro Researchers Uncover SpyEye Operation". Trend Micro. Retrieved 2020-07-09.
- Diane Bartz (29 October 2010). "Top hacker "retires"; experts brace for his return". Reuters. Retrieved 16 December 2010.
- Internet Identity (6 December 2010). "Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011". Yahoo! Finance. Retrieved 16 December 2010.
- Krebs, Brian (20 April 2016). "SpyEye Makers Get 24 Years in Prison". Krebs On Security. Retrieved 23 March 2017.
- Khandelwal, Swati. "Creators of SpyEye Virus Sentence to 24 Years in Prison". The Hacker News. Retrieved 20 June 2017.