FBI uses Spear Phishing technique to plant malware in Suspect's system


It's not surprising that FBI uses malware to track the activities and location of suspects. A New article published by Washington Post covers the story about FBI using malware for surveillance to track suspect's movements.

FBI team works much like other hackers, targets suspects with the Spear Phishing technique that will attempt to exploit vulnerability in the target's machine and installs malware. The malware then collects information from the infected machine and send it back to FBI's server. The malware is also capable of covertly activating webcams.

In a bank fraud case, Judge Stephen Smith rejected FBI request to install spyware in the suspect's system in April.

Smith pointed out that using such kind of technologies ran the risk of accidentally capturing information of others who are not involved in any kind of illegal activity.

In another case, another judge approved the FBI's request in December 2012. The malware also successfully gathered enough information from the suspect's system and helped in arresting him.

In another case, July 2012, an unknown person who is calling himself "Mo" from unknown location made a series of threats to detonate bombs at various locations. He wanted to release a man who had been arrested for killing 12 people in a movie theater in the Denver suburb of Aurora, Colo.

After investigation, they found out Mo was using Google Voice to make calls to Sheriff , he also used proxy for hiding his real IP.

After further investigation, FBI found out Mo used IP address located in Tehran when he signed up for the email account in 2009. 

In December 2012, judge approved FBI's request that allowed the FBI to send email containing surveillance software to the suspect's email id. However, the malware failed to perform as intended.  But, Mo's computer sent a request for info to FBI's server from two different IP address.  Both suggested that he was still in Tehran.

SmsDetective SMS spying app for Android


TrendMicro researchers have come across a spytool which is currently available on Google Play, that is actively being discussed on certain hacker forums.

This tool’s beta version is available on the site since March 11. An estimated 500 – 1000 users have already downloaded the said spytool, which Trend Micro detects as ANDROIDOS_SMSSPY.DT.



This spytool gathers SMS messages from an infected mobile device and sends these to a remote FTP server at regular times set during the app’s installation.

As the app is still in its beta testing, spying on a mobile device using this tool poses certain challenges. First, it should be installed onto the target device without the victim knowing about it.

 Second, potential attackers would need to setup their own FTP servers, which may be difficult for those with less advanced IT knowledge.

SpyEye Trojan stole $3.2 million from U.S. victims ~ Discovered by TrendMicro

A Russian cybergang headed by a mysterious ringleader called 'Soldier' were able to steal $3.2 million from U.S. citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported.

Trend Micro researchers recently uncovered a cybercriminal operation involving SpyEye that began as early as January 2011. The said operation was orchestrated by “Soldier” (the cybercriminal’s handle), who is currently based in Russia. Trend Micro researchers had been monitoring Soldier and his activities since March 2011.

Based on investigation, this attack mainly targeted US users and some of those affected were large enterprises and institutions such as the US government and military. In fact, 97% of the affected corporations are based in the US. However, we have also observed affected organizations located in other countries such as the United Kingdom, Mexico, Canada, and India.

The SpyEye variant used in this attack is detected by Trend Micro as TSPY_SPYEYE.EXEI.

How much money was stolen?

According to Trend Micro research, the cybercriminal behind this attack was able to get more than $3.2 million dollars, or $17,000 per day, in the last 6 months with the help of accomplices and money mules. Money mules were recruited to transfer the money to the cybercriminals. To launder the money, the stolen money is passed by the cybercriminal to the accomplices situated in various locations then to the money mules and finally back to the cybercriminal. This is done so the cybercriminal won’t be easily track down by security researchers and law enforcement.



Once a system is infected, what does TSPY_SPYEYE.EXEI do?

Once installed, TSPY_SPYEYE.EXEI downloads a configuration file, which contains the websites that it monitors. Once users visit any of these monitored sites, it performs web injection and logs keystrokes to steal information from users. It also connects to specific URLs to send and receive information from a remote user. Once connected to these sites, it sends specific information such as operating system information, Internet Explorer (IE) version, account type, language ID, time zone etc.

What is SpyEye and how can I encounter this?

SpyEye is a commercially-sold toolkit which first emerged in 2009. Users may encounter SpyEye variants via various infection vectors such as blackhat search engine optimization (SEO), spam, and other malware to infect users’s systems. Its main routine is information, identity, and financial theft.

Trend Micro detects the binary files generated by SpyEye as TSPY_SPYEYE variants. When SpyEye first came out in the wild, it is thought of as the rival of another prevalent crimeware toolkit, ZeuS.


How do SpyEye malware steal information?

SpyEye downloads a configuration file on the infected systems. This configuration file contains the list of monitored websites. When users accessed any of the monitored websites, SpyEye performs Web injection to steal the data inputted by the users. It is also capable of capturing screenshots from the infected systems.


What is a web injection and how does it work?

In Web injection, SpyEye injects HTML code into the webpage to add form fields of other data that the cybercriminals want to steal. In the instance that users visit one of the monitored web sites, they would see an additional field(s) in the said site, asking for specific information other than logon credentials such as ATM or credit card number, email address, etc.




What kind of information do SpyEye variants steal?

Although SpyEye steals banking credentials, it is capable of stealing credentials related to different websites, such as Facebook, Twitter, Yahoo!, Google, eBay, and Amazon. It also gathers system information such as installed operating system, Internet Explorer version, timezone, and others. Furthermore, it is capable of capturing screenshots. This routine enables SpyEye to bypass authentication means and to gather data apart from online banking information. The stolen data are either used for other fraudulent activities or sold in the underground.

Why should I be concerned about SpyEye?

As an information stealer, SpyEye variants steal logon credentials and used this to initiate unauthorized transactions, such as an online fund transfer. Because of the web injection routine, users are also at risk of unwittingly giving out sensitive information, which are sold to the underground market and used for malicious purposes. In addition, SpyEye remains to be one of the prevalent malware to date. It can be sold commercially making it available to anyone who intends to steal information and hard-earned money of users.

SpyEye is known for targeting consumers, as well as small and medium businesses. However, large organizations are affected in this particular attack. It is possible that employees of large enterprises accessed their online bank accounts, and may have engaged in other online activities while using the work/business network, thus compromising its security. Furthermore, the stolen information from these large enterprises may be used to stage targeted attacks.
Are Trend Micro users protected from this attack?

Yes. Trend Micro provides a multi-layered protection via Trend Micro™ Smart Protection Network™. With Web reputation technology blocks all the malicious URLs where SpyEye variants may be downloaded. It also prevents access to all the URLs where the malware may download its configuration files. File reputation service detects and deletes all known SpyEye variants found on the affected system. For SpyEye variants that arrive via spam messages, the Email reputation service promptly blocks such messages even before it arrives on users' inboxes.
Trend Micro’s Threat Discovery Appliance (TDA) also protects users' networks by blocking malicious packets, such as C&C communication and upload of stolen information.
Home users can use Trend Micro’s HouseCall to scan and clean systems infected with malware components related to this attack. Similarly, Trend Micro’s Genericlean detects and cleans the malware components.

Users are advised to be wary of divulging any personal information online. It is also best not to access online bank accounts using a work network. For businesses, we recommend the use of various security layers such as firewall, gateway, messaging, network, server, endpoint, and mobile security for optimal protection against attacks like this.

As of this writing, Trend Micro researchers and analysts are collaborating with law enforcement agencies regarding the blocking of identified command and control servers related to SpyEye.

Source:TrendMicro

Android users will be next target !